CVE-2021-25318: Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources
A vulnerability was discovered in Rancher versions 2.0 through the aforementioned fixed versions, where users were granted access to resources regardless of the resource’s API group. For example Rancher should have allowed users access to apps.catalog.cattle.io
, but instead incorrectly gave access to apps.*
.
References
Detect and mitigate CVE-2021-25318 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →