CVE-2023-22650

HIGH

Rancher 2.7.0-2.7.13 and 2.8.0-2.8.4 - Improper Authentication via Uncleaned User Tokens

Title source: llm

Description

A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave the user’s tokens still usable.

References (2)

Core 2

Core References

Issue Tracking

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22650

Vendor Advisory

https://github.com/rancher/rancher/security/advisories/GHSA-9ghh-mmcq-8phc

Scores

CVSS v3 8.8

EPSS 0.0016

EPSS Percentile 36.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-287 CWE-306

Status published

Products (3)

rancher/rancher 2.7.0 - 2.7.14Go

SUSE/rancher 2.7.0 - 2.7.14

SUSE/rancher 2.8.0 - 2.8.5

Published Oct 16, 2024

Tracked Since Feb 18, 2026