Improper Ownership Management in github.com/rancher/rancher/pkg/controllers/managementuser/secret | CVE-2024-22031

Q: How to fix?

Upgrade github.com/rancher/rancher/pkg/controllers/managementuser/secret to version 2.9.9-alpha1, 2.10.5-alpha3, 2.11.1-alpha2 or higher.

Introduced: 25 Apr 2025

NewCVE-2024-22031 (opens in a new tab) CWE-282 (opens in a new tab)

How to fix?

Upgrade github.com/rancher/rancher/pkg/controllers/managementuser/secret to version 2.9.9-alpha1, 2.10.5-alpha3, 2.11.1-alpha2 or higher.

Overview

github.com/rancher/rancher/pkg/controllers/managementuser/secret is a project that provides a container management platform built for organizations that deploy containers in production

Affected versions of this package are vulnerable to Improper Ownership Management for projects, whose namespace defaults to being the project name, regardless of cluster. A user with permission to create a project can escalate privileges to those of a user who owns a project by the same name in a different cluster by creating a project with the same name, thereby gaining access to the other project's resources.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
High
Integrity (SI)
High
Availability (SA)
High

Improper Ownership Management Affecting github.com/rancher/rancher/pkg/controllers/managementuser/secret package, versions >=2.8.0-alpha1 <2.9.9-alpha1>=2.10.0-alpha1 <2.10.5-alpha3>=2.11.0-alpha1 <2.11.1-alpha2

Severity

Do your applications use this vulnerable package?

Introduced: 25 Apr 2025

How to fix?

Overview

References

CVSS Base Scores

Snyk