CVE-2023-22647

EPSS 0.59%
Published 01.06.2023 13:15:10
Last modified 21.11.2024 07:45:07
Source meissner@suse.de
Teams watchlist Login
Open Login

An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the local
 cluster, resulting in the secret being deleted, but their read-level 
permissions to the secret being preserved. When this operation was 
followed-up by other specially crafted commands, it could result in the 
user gaining access to tokens belonging to service accounts in the local cluster.


This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Suse ≫ Rancher Version >= 2.6.0 < 2.6.13

Suse ≫ Rancher Version >= 2.7.0 < 2.7.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.59%	0.68

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8	2.1	5.9	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
meissner@suse.de	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-267 Privilege Defined With Unsafe Actions

A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22647

Vendor Advisory

Issue Tracking

https://github.com/rancher/rancher/security/advisories/GHSA-p976-h52c-26p6

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-22647

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-22647

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-22647

EUVD