CVE-2021-25318

描述

A vulnerability was discovered in Rancher versions 2.0 through the aforementioned fixed versions, where users were granted access to resources regardless of the resource's API group. For example Rancher should have allowed users access to `apps.catalog.cattle.io`, but instead incorrectly gave access to `apps.*`. Resource affected include: **Downstream clusters:** apiservices clusters clusterrepos persistentvolumes storageclasses **Rancher management cluster** apprevisions apps catalogtemplates catalogtemplateversions clusteralertgroups clusteralertrules clustercatalogs clusterloggings clustermonitorgraphs clusterregistrationtokens clusterroletemplatebindings clusterscans etcdbackups nodepools nodes notifiers pipelineexecutions pipelines pipelinesettings podsecuritypolicytemplateprojectbindings projectalertgroups projectalertrules projectcatalogs projectloggings projectmonitorgraphs projectroletemplatebindings projects secrets sourcecodeproviderconfigs There is not a direct mitigation besides upgrading to the patched Rancher versions.

受影響套件(2)

• Go/github.com/rancher/rancher>= 2.0.0, < 2.4.16
• Go/github.com/rancher/rancher>= 2.0.0+incompatible

CVSS 分數

參考連結(6)

• ADVISORYhttps://github.com/advisories/GHSA-f9xf-jq4j-vqw4
• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-25318
• PATCHhttps://github.com/rancher/rancher
• WEBhttps://bugzilla.suse.com/show_bug.cgi?id=1184913
• WEBhttps://github.com/rancher/rancher/issues/33590
• WEBhttps://pkg.go.dev/vuln/GO-2024-2768