Vulnerability Description
A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on Azure AD, for example, to a lower privileged group, or are removed from a group, thus retaining their access to Rancher instead of losing it. This issue affects Rancher: from >= 2.6.7 before < 2.6.13, from >= 2.7.0 before < 2.7.4.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Suse | Rancher | >= 2.6.7, < 2.6.13 |
Related Weaknesses (CWE)
References
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22648Issue TrackingVendor Advisory
- https://github.com/rancher/rancher/security/advisories/GHSA-vf6j-6739-78m8Vendor Advisory
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22648Issue TrackingVendor Advisory
- https://github.com/rancher/rancher/security/advisories/GHSA-vf6j-6739-78m8Vendor Advisory
FAQ
What is CVE-2023-22648?
CVE-2023-22648 is a vulnerability with a CVSS score of 8.0 (HIGH). A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users while they are logged in the Rancher UI. This would cause the users to...
How severe is CVE-2023-22648?
CVE-2023-22648 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-22648?
Check the references section above for vendor advisories and patch information. Affected products include: Suse Rancher.