CVE-2023-22647

CVSS V2 None CVSS V3 None

Description

An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the secret being deleted, but their read-level permissions to the secret being preserved. When this operation was followed-up by other specially crafted commands, it could result in the user gaining access to tokens belonging to service accounts in the local cluster. This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.

Overview

CVE ID
CVE-2023-22647

Assigner
suse

Vulnerability Status
PUBLISHED

Published Version
2023-06-01T12:52:49.035Z

Last Modified Date
2023-06-01T12:52:49.035Z

Weakness Enumerations

CWE	URL
CWE-269	http://cwe.mitre.org/data/definitions/269.html

References

Reference URL	Reference Tags
https://github.com/rancher/rancher/security/advisories/GHSA-p976-h52c-26p6
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22647

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-22647
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22647

History

Created	Old Value	New Value	Data Type	Notes
2024-06-25 14:28:54				Added to TrackCVE