CVE-2023-32196: Rancher's External RoleTemplates can lead to privilege escalation
A vulnerability has been identified whereby privilege escalation checks are not properly enforced for RoleTemplate
objects when external=true, which in specific scenarios can lead to privilege escalation.
The bug in the webhook rule resolver ignores rules from a ClusterRole
for external RoleTemplates
when its context is set to either project
or is left empty. The fix introduces a new field to the RoleTemplate
CRD named ExternalRules
. The new field will be used to resolve rules directly from the RoleTemplate
. Additionally, rules from the backing ClusterRole
will be used if ExternalRules
is not provided. The new field will always take precedence when it is set, and serve as the source of truth for rules used when creating Rancher resources on the local cluster.
Please note that this is a breaking change for external RoleTemplates
, when context is set to project
or empty and the backing ClusterRole
does not exist, as this was not previously required.
References
Detect and mitigate CVE-2023-32196 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →