CVE-2022-31247

moderate-risk

Published 2022-09-07

An Improper Authorization vulnerability in SUSE Rancher, allows any user who has permissions to create/edit cluster role template bindings or project role template bindings (such as cluster-owner, manage cluster members, project-owner and manage project members) to gain owner permission in another project in the same cluster or in another project on a different downstream cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.6.7; Rancher versions prior to 2.5.16.

Do I need to act?

0.34% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.1/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Rancher

Affected Vendors

Suse

References (4)

Exploit https://bugzilla.suse.com/show_bug.cgi?id=1199730

Exploit https://github.com/rancher/rancher/security/advisories/GHSA-6x34-89p7-95wg

Exploit https://bugzilla.suse.com/show_bug.cgi?id=1199730

Exploit https://github.com/rancher/rancher/security/advisories/GHSA-6x34-89p7-95wg

/ 100

moderate-risk

Severity 31/34 · Critical

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal