Execution with Unnecessary Privileges Affecting github.com/rancher/rancher/pkg/settings package, versions >=2.7.0 <2.7.16-alpha5 >=2.8.0 <2.8.9-alpha10 >=2.9.0 <2.9.3-alpha5
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMRANCHERRANCHERPKGSETTINGS-8310221
- published 30 Oct 2024
- disclosed 25 Oct 2024
- credit Unknown
Introduced: 25 Oct 2024
New CVE-2024-22036 Open this link in a new tabHow to fix?
Upgrade github.com/rancher/rancher/pkg/settings
to version 2.7.16-alpha5, 2.8.9-alpha10, 2.9.3-alpha5 or higher.
Overview
github.com/rancher/rancher/pkg/settings is a complete container management platform
Affected versions of this package are vulnerable to Execution with Unnecessary Privileges due to not sufficiently isolating cluster and node drivers from the root-privileged containing service, in the NewPlugin()
function for node drivers, and binaries being placed at an insecure location in the user's PATH
. A privileged user can escape the chroot
jail or gain privileges on the underlying system by registering a malicious driver. During registration, the binaries /usr/bin/rancher-machine
, /usr/bin/helm_v3
, and /usr/bin/kustomize
are executed with the privileges of the parent process.