Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication
Package
Affected versions
<= 2.4.17
>= 2.5.0, <= 2.5.11
>= 2.6.0, <= 2.6.2
Patched versions
2.4.18
2.5.12
2.6.3
Description
Published by the National Vulnerability Database
Apr 4, 2022
Published to the GitHub Advisory Database
Apr 24, 2024
Reviewed
Apr 24, 2024
Last updated
Apr 24, 2024
Impact
This vulnerability only affects customers using group based authentication in Rancher versions up to and including 2.4.17, 2.5.11 and 2.6.2.
When removing a Project Role associated to a group from a project, the bindings that grant access to cluster scoped resources for those subjects do not get deleted. This happens due to an incomplete authorization logic check. A user who is a member of an affected group with authenticated access to Rancher could use this to access resources they should no longer have access to. The exposure level will depend on the original permission level granted to the affected project role.
Patches
Patched versions include releases 2.4.18, 2.5.12, 2.6.3 and later versions.
Workarounds
Limit access in Rancher to trusted users. There is not a direct mitigation besides upgrading to the patched Rancher versions.
References
Cluster and project roles documentation for Rancher 2.6, 2.5 and 2.4.
For more information
If you have any questions or comments about this advisory:
References