Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-31247 #975

Closed
GoVulnBot opened this issue Sep 7, 2022 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-31247 #975

GoVulnBot opened this issue Sep 7, 2022 · 2 comments
Assignees
@tatianab
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

CVE-2022-31247 references github.com/rancher/rancher, which may be a Go module.

Description:
An Improper Authorization vulnerability in SUSE Rancher, allows any user who has permissions to create/edit cluster role template bindings or project role template bindings (such as cluster-owner, manage cluster members, project-owner and manage project members) to gain owner permission in another project in the same cluster or in another project on a different downstream cluster.
This issue affects:
SUSE Rancher
Rancher versions prior to 2.6.7;
Rancher versions prior to 2.5.16.

References:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/rancher/rancher
    packages:
      - package: Rancher
description: |
    An Improper Authorization vulnerability in SUSE Rancher, allows any user who has permissions to create/edit cluster role template bindings or project role template bindings (such as cluster-owner, manage cluster members, project-owner and manage project members) to gain owner permission in another project in the same cluster or in another project on a different downstream cluster.
    This issue affects:
    SUSE Rancher
    Rancher versions prior to 2.6.7;
    Rancher versions prior to 2.5.16.
cves:
  - CVE-2022-31247
references:
  - web: https://bugzilla.suse.com/show_bug.cgi?id=1199730
  - web: https://github.com/rancher/rancher/security/advisories/GHSA-6x34-89p7-95wg
@tatianab tatianab self-assigned this Sep 12, 2022
@tatianab tatianab added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NeedsTriage labels Sep 22, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/432778 mentions this issue: data/excluded: add GO-2022-0975.yaml for CVE-2022-31247

This was referenced Jan 25, 2023
Closed
Closed
Closed
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 24, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue May 4, 2023
Closed
This was referenced Jun 1, 2023
Closed
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Jul 11, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Jul 25, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Aug 2, 2023
Closed
This was referenced Feb 8, 2024
Closed
Closed
This was referenced Apr 24, 2024
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 25, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592774 mentions this issue: data/reports: unexclude 50 reports

This was referenced Jun 17, 2024
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Sep 26, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Oct 15, 2024
Closed
This was referenced Oct 25, 2024
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Nov 21, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Jan 14, 2025
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@tatianab tatianab

Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot