CVE-2021-25318: Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources

April 24, 2024

A vulnerability was discovered in Rancher versions 2.0 through the aforementioned fixed versions, where users were granted access to resources regardless of the resource’s API group. For example Rancher should have allowed users access to apps.catalog.cattle.io, but instead incorrectly gave access to apps.*.

References

bugzilla.suse.com/show_bug.cgi?id=1184913
github.com/advisories/GHSA-f9xf-jq4j-vqw4
github.com/rancher/rancher
github.com/rancher/rancher/issues/33590
nvd.nist.gov/vuln/detail/CVE-2021-25318

Code Behaviors & Features

Detect and mitigate CVE-2021-25318 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →