Base Score

HIGH8.6

CVE-2023-32194

A vulnerability has been identified when granting a create or * global role for a resource type of "namespaces"; no matter the API group, the subject will receive * permissions for core namespaces. This can lead to someone being capable of accessing, creating, updating, or deleting a namespace in the project.

VectorNETWORK

Published Bymeissner@suse.de

Published DateOct 16, 2024, 13:15

Affected Versions(3)

github.com/rancher/rancher(Go)

Introduced2.6.0

Fixed2.6.14

LimitN/A

github.com/rancher/rancher(Go)

Introduced2.7.0

Fixed2.7.10

LimitN/A

github.com/rancher/rancher(Go)

Introduced2.8.0

Fixed2.8.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/rancher/rancher(Go)	2.6.0	2.6.14	N/A
github.com/rancher/rancher(Go)	2.7.0	2.7.10	N/A
github.com/rancher/rancher(Go)	2.8.0	2.8.2	N/A

Weakness Type (CWE):CWE-269

CVSS Metrics

Base Score

8.6

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

HIGH

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

References

Base Score

HIGH8.6

Weakness Type (CWE):CWE-269

CVSS Metrics

Base Score

8.6

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

HIGH

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)