CVE-2024-22031: Rancher users who can create Projects can gain access to arbitrary projects

April 25, 2025 (updated May 5, 2025)

A vulnerability has been identified within Rancher where a user with the ability to create a project, on a certain cluster, can create a project with the same name as an existing project in a different cluster. This results in the user gaining access to the other project in the different cluster, resulting in a privilege escalation. This happens because the namespace used on the local cluster to store related resources (PRTBs and secrets) is the name of the project.

Please consult the associated MITRE ATT&CK - Technique - Privilege Escalation for further information about this category of attack.

References

Code Behaviors & Features

Detect and mitigate CVE-2024-22031 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →