Skip to main content

Rancher CVE-2022-31247

CRITICAL
Improper Authorization (CWE-285)
2022-09-07 meissner@suse.de
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 07, 2022 - 09:15 nvd
CRITICAL 9.1

DescriptionNVD

An Improper Authorization vulnerability in SUSE Rancher, allows any user who has permissions to create/edit cluster role template bindings or project role template bindings (such as cluster-owner, manage cluster members, project-owner and manage project members) to gain owner permission in another project in the same cluster or in another project on a different downstream cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.6.7; Rancher versions prior to 2.5.16.

AnalysisAI

An Improper Authorization vulnerability in SUSE Rancher, allows any user who has permissions to create/edit cluster role template bindings or project role template bindings (such as cluster-owner,. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-285. An Improper Authorization vulnerability in SUSE Rancher, allows any user who has permissions to create/edit cluster role template bindings or project role template bindings (such as cluster-owner, manage cluster members, project-owner and manage project members) to gain owner permission in another project in the same cluster or in another project on a different downstream cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.6.7; Rancher versions prior to 2.5.16. Affected products include: Suse Rancher. Version information: prior to 2.6.7.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2022-21951 MEDIUM POC
6.8 May 25

A Cleartext Transmission of Sensitive Information vulnerability in SUSE Rancher, Rancher allows attackers on the network

CVE-2023-22651 CRITICAL
9.9 May 04

Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. Rated critical severity (CVSS 9

CVE-2021-25320 CRITICAL
9.9 Jul 15

A Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by cr

CVE-2019-11202 CRITICAL
9.8 Jul 30

An issue was discovered that affects the following versions of Rancher: v2.0.0 through v2.0.13, v2.1.0 through v2.1.8, a

CVE-2026-44939 CRITICAL
9.4 Jun 19

{token}_{clusterId}.yaml. CVSS 4.0 rates this 9.4 (Critical) with a scope-changing impact on subsequent systems, but no

CVE-2026-44946 CRITICAL
9.5 Jun 30

SAML assertion replay in Rancher's Assertion Consumer Service (ACS) handler lets a person-in-the-middle who captures a v

CVE-2026-41052 CRITICAL
9.4 Jun 29

Privilege escalation in SUSE Rancher (Kubernetes management platform) allows a user holding the Project Owner role to im

CVE-2017-7297 HIGH
8.8 Mar 29

Rancher Labs rancher server 1.2.0+ is vulnerable to authenticated users disabling access control via an API call. Rated

CVE-2026-41053 HIGH
8.8 Jun 30

Privilege escalation in Rancher 2.13 (before 2.13.6) and 2.14 (before 2.14.2) lets any authenticated user gain principal

CVE-2023-22648 HIGH
8.8 Jun 01

A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected

CVE-2021-31999 HIGH
8.8 Jul 15

A Reliance on Untrusted Inputs in a Security Decision vulnerability in Rancher allows users in the cluster to act as oth

CVE-2021-25318 HIGH
8.8 Jul 15

A Incorrect Permission Assignment for Critical Resource vulnerability in Rancher allows users in the cluster to modify r

Share

CVE-2022-31247 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy