CVE-2023-22648

Published: Jun 1, 2023

Modified: Oct 9, 2024

PUBLISHED

CVSS v3.1

8.0

HIGH

Description

A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on Azure AD, for example, to a lower privileged group, or are removed from a group, thus retaining their access to Rancher instead of losing it. This issue affects Rancher: from >= 2.6.7 before < 2.6.13, from >= 2.7.0 before < 2.7.4.

Vendor	Product	Versions
SUSE	Rancher	affected `>= 2.6.7 - < < 2.6.13` affected `>= 2.7.0 - < < 2.7.4`

Weaknesses (CWE)

CWE-271

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/rancher/rancher/security/advisories/GHSA-vf6j-6739-78m8

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22648

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-22648

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References