CVE-2021-25320

Aliases:GHSA-gqf8-rvrh-g7w6GO-2026-4589
Advisory lineage Upstream: 0 Downstream: 1
Modified
Published: 15 Jul 2021, 08:55
Last modified:16 Sept 2024, 20:21

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.9 CRITICAL
v3.1 (cve.org)
EPSS Score
0.2% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

15 Jul 2021, 08:55
Published
Vulnerability first disclosed
16 Sept 2024, 20:21
Last Modified
Vulnerability information updated

Description

A Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating requests with the cloud-credential ID. Rancher in this case would attach the requested credentials without further checks This issue affects: Rancher versions prior to 2.5.9; Rancher versions prior to 2.4.16.

CVSS Metrics

  • v3.1CRITICALScore: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • v2.0MEDIUMScore: 4AV:N/AC:L/Au:S/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.20% Percentile: 42%

Techniques & Countermeasures

  • CWE-284Improper Access Control

    The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Affected Systems

  • github.com/rancherrancher

    ≥ 2.2.0, < 2.4.16 | ≥ 2.5.0, < 2.5.9 | ≥ 2.2.0+incompatible

  • rancherrancher

    < 2.4.16 | ≥ 2.5.0, < 2.5.9 | ≥ Rancher, < 2.5.9 | ≥ Rancher, < 2.4.16

References (4)