Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2023-22648 #1816

Closed
GoVulnBot opened this issue Jun 1, 2023 · 2 comments
Closed
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

CVE-2023-22648 references github.com/rancher/rancher, which may be a Go module.

Description:
A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users
while they are logged in the Rancher UI. This would cause the users to
retain their previous permissions in Rancher, even if they change groups
on Azure AD, for example, to a lower privileged group, or are removed
from a group, thus retaining their access to Rancher instead of losing
it.
This issue affects Rancher: from >= 2.6.7 before < 2.6.13, from >= 2.7.0 before < 2.7.4.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/rancher/rancher
      packages:
        - package: Rancher
description: "A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users \nwhile they are logged in the Rancher UI. This would cause the users to \nretain their previous permissions in Rancher, even if they change groups\n on Azure AD, for example, to a lower privileged group, or are removed \nfrom a group, thus retaining their access to Rancher instead of losing \nit.\nThis issue affects Rancher: from >= 2.6.7 before < 2.6.13, from >= 2.7.0 before < 2.7.4.\n\n\n"
cves:
    - CVE-2023-22648
references:
    - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-vf6j-6739-78m8
    - web: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22648

@tatianab tatianab self-assigned this Jun 2, 2023
@tatianab tatianab added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Jun 2, 2023
@tatianab tatianab removed their assignment Jun 2, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/500496 mentions this issue: data/excluded: batch add 9 excluded reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592761 mentions this issue: data/reports: unexclude 75 reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

3 participants