Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2023-22651 #1757

Closed
GoVulnBot opened this issue May 4, 2023 · 1 comment
Closed
Assignees

Comments

@GoVulnBot
Copy link

CVE-2023-22651 references github.com/rancher/rancher, which may be a Go module.

Description:
Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to
the misconfiguration of the Webhook. This component enforces validation
rules and security checks before resources are admitted into the
Kubernetes cluster.
The issue only affects users that upgrade from 2.6.x or 2.7.x to 2.7.2. Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/rancher/rancher
    packages:
      - package: Rancher
description: "Improper Privilege Management vulnerability in SUSE Rancher allows Privilege
    Escalation. A failure in the update logic of Rancher's admission Webhook may lead
    to\n the misconfiguration of the Webhook. This component enforces validation\n
    rules and security checks before resources are admitted into the \nKubernetes
    cluster.\nThe issue only affects users that upgrade from 2.6.x or 2.7.x to 2.7.2.
    Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are
    not affected.\n\n\n"
cves:
  - CVE-2023-22651
references:
  - web: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22651
  - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-6m9f-pj6w-w87g

@jba jba self-assigned this May 9, 2023
@jba jba added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. duplicate and removed excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. labels May 9, 2023
@jba
Copy link
Contributor

jba commented May 9, 2023

Duplicate of #1736

@jba jba marked this as a duplicate of #1736 May 9, 2023
@jba jba closed this as completed May 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants