CVE-2023-22650

Oct. 16, 2024, 4:38 p.m.

8.8
High

Description

A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave the user’s tokens still usable.

Product(s) Impacted

Product Versions
Rancher

Weaknesses

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-306
Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22650
https://github.com/rancher/rancher/security/advisories/GHSA-9ghh-mmcq-8phc

Tags

CWE-306
CWE-287
2024-10-16
meissner@suse.de
CVE-2023-22650

CVSS Score

8.8 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Date

  • Published: Oct. 16, 2024, 9:15 a.m.
  • Last Modified: Oct. 16, 2024, 4:38 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

meissner@suse.de

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.