Incorrect Privilege Assignment Affecting github.com/rancher/rancher/pkg/data/management package, versions >=2.7.0 <2.7.14 >=2.8.0 <2.8.5
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMRANCHERRANCHERPKGDATAMANAGEMENT-7268019
- published 19 Jun 2024
- disclosed 17 Jun 2024
- credit Unknown
Introduced: 17 Jun 2024
CVE-2023-32196 Open this link in a new tabHow to fix?
Upgrade github.com/rancher/rancher/pkg/data/management to version 2.7.14, 2.8.5 or higher.
Overview
Affected versions of this package are vulnerable to Incorrect Privilege Assignment when enforcing the privileges of a the RoleTemplate object with external set to true. For such objects, when the ClusterRole is set to project or is empty, an attacker can escalate privileges.
The package maintainers have provided a script for users to identify and correct RoleTemplates with a missing externalRules field and no backing ClusterRole.
#!/bin/bash
set -euo pipefail
get all RoleTemplates with .context == "project" or .context == "" that don't have externalRules.
rts=$(kubectl get roletemplates -o json | jq -r '.items[] | select((.context == "project" or .context == "") and .external == true and .externalRules == null) | .metadata.name')
found_invalid_rt=false
for rt in $rts; do
if ! kubectl get clusterrole "$rt" > /dev/null 2>&1; then
echo "$rt" # prints RoleTemplate names that don't have a backing ClusterRole
found_invalid_rt=true
fi
done
if ! $found_invalid_rt ; then
echo 'This cluster is not affected by CVE-2023-32197: no RoleTemplate objects found'
fi