Vulnerabilities > CVE-2018-20321 - Exposure of Resource to Wrong Sphere vulnerability in Suse Rancher

CVSS 9.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

suse

CWE-668

critical

NVD

Published: 2019-04-10

Updated: 2022-04-13

Summary

An issue was discovered in Rancher 2 through 2.1.5. Any project member with access to the default namespace can mount the netes-default service account in a pod, and then use that pod to execute administrative privileged commands against the k8s cluster. This could be mitigated by isolating the default namespace in a separate project, where only cluster admins can be given permissions to access. As of 2018-12-20, this bug affected ALL clusters created or imported by Rancher.

Vulnerable Configurations

Part	Description	Count
Application	Suse Suse Rancher 2.0.0 Suse Rancher 2.0.1 Suse Rancher 2.0.2 Suse Rancher 2.0.3 Suse Rancher 2.0.4 Suse Rancher 2.0.5 Suse Rancher 2.0.6 Suse Rancher 2.0.7 Suse Rancher 2.0.8 Suse Rancher 2.0.9 Suse Rancher 2.0.10 Suse Rancher 2.0.11 Suse Rancher 2.0.12 Suse Rancher 2.0.13 Suse Rancher 2.1.0 Suse Rancher 2.1.1 Suse Rancher 2.1.2 Suse Rancher 2.1.3 Suse Rancher 2.1.4 Suse Rancher 2.1.5	20

Common Weakness Enumeration (CWE)

CWE-668 - Exposure of Resource to Wrong Sphere

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References