GMS-2023-139: Privilege escalation in project role template binding (PRTB) and -promoted roles

January 25, 2023

An issue was discovered in Rancher versions from 2.5.0 up to and including 2.5.16 and from 2.6.0 up to and including 2.6.9, where an authorization logic flaw allows privilege escalation via project role template binding (PRTB) and -promoted roles. This issue is not present in Rancher 2.7 releases.

References

github.com/advisories/GHSA-7m72-mh5r-6j3r
github.com/rancher/rancher/security/advisories/GHSA-7m72-mh5r-6j3r

Code Behaviors & Features

Detect and mitigate GMS-2023-139 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →