Home > Vulnerability Database > WS-2023-0022

Mend.io Vulnerability Database

WS-2023-0022

Good to know:

Date: January 25, 2023

It was discovered that when an external authentication provider is configured in Rancher and then disabled, the Rancher generated tokens associated with users who had access granted through the now disabled auth provider are not revoked. This allows users to retain access to Rancher and kubectl access to clusters managed by Rancher, according to their previous configured permissions, even after they are supposed to have lost it due to the auth provider been disabled. The issue is patched in versions 2.5.17, 2.6.10, and 2.7.1

Language: Go

Severity Score

8.8

Related Resources (2)

Url: https://github.com/rancher/rancher/commit/ace79bdf23d9f423632516cbaed82f696e92e145

Url: https://www.mend.io/vulnerability-database/WS-2023-0022

Severity Score

8.8

Weakness Type (CWE)

Authentication Issues

CWE-287

Top Fix

Upgrade Version

Upgrade to version v2.5.17,v2.6.10,v2.7.1

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2023-0022

Good to know:

Date: January 25, 2023

Language: Go

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?