Vulnerability Description
An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the secret being deleted, but their read-level permissions to the secret being preserved. When this operation was followed-up by other specially crafted commands, it could result in the user gaining access to tokens belonging to service accounts in the local cluster. This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Suse | Rancher | >= 2.6.0, < 2.6.13 |
Related Weaknesses (CWE)
References
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22647Issue TrackingVendor Advisory
- https://github.com/rancher/rancher/security/advisories/GHSA-p976-h52c-26p6Vendor Advisory
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22647Issue TrackingVendor Advisory
- https://github.com/rancher/rancher/security/advisories/GHSA-p976-h52c-26p6Vendor Advisory
FAQ
What is CVE-2023-22647?
CVE-2023-22647 is a vulnerability with a CVSS score of 9.9 (CRITICAL). An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the se...
How severe is CVE-2023-22647?
CVE-2023-22647 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-22647?
Check the references section above for vendor advisories and patch information. Affected products include: Suse Rancher.