Execution with Unnecessary Privileges Affecting github.com/rancher/rancher/pkg/controllers/management/drivers/nodedriver package, versions >=2.7.0 <2.7.16-alpha5>=2.8.0 <2.8.9-alpha10>=2.9.0 <2.9.3-alpha5
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMRANCHERRANCHERPKGCONTROLLERSMANAGEMENTDRIVERSNODEDRIVER-8310219
- published30 Oct 2024
- disclosed25 Oct 2024
- creditUnknown
Introduced: 25 Oct 2024
CVE-2024-22036 Â (opens in a new tab)How to fix?
Upgrade github.com/rancher/rancher/pkg/controllers/management/drivers/nodedriver to version 2.7.16-alpha5, 2.8.9-alpha10, 2.9.3-alpha5 or higher.
Overview
github.com/rancher/rancher/pkg/controllers/management/drivers/nodedriver is a project that provides a container management platform built for organizations that deploy containers in production.
Affected versions of this package are vulnerable to Execution with Unnecessary Privileges due to not sufficiently isolating cluster and node drivers from the root-privileged containing service, in the NewPlugin() function for node drivers, and binaries being placed at an insecure location in the user's PATH. A privileged user can escape the chroot jail or gain privileges on the underlying system by registering a malicious driver. During registration, the binaries /usr/bin/rancher-machine, /usr/bin/helm_v3, and /usr/bin/kustomize are executed with the privileges of the parent process.