Closed
Description
In GitHub Security Advisory GHSA-9qq2-xhmc-h9qr, there is a vulnerability in the following Go packages or modules:
| Unit | Fixed | Vulnerable Ranges |
|---|---|---|
| github.com/rancher/rancher | 2.1.6 | >= 2.0.0, < 2.1.6 |
See doc/triage.md for instructions on how to triage this report.
packages:
- package: github.com/rancher/rancher
versions:
- introduced: 2.0.0
fixed: 2.1.6
description: An issue was discovered in Rancher 2 through 2.1.5. Any project member
with access to the default namespace can mount the netes-default service account
in a pod, and then use that pod to execute administrative privileged commands
against the k8s cluster. This could be mitigated by isolating the default namespace
in a separate project, where only cluster admins can be given permissions to access.
As of 2018-12-20, this bug affected ALL clusters created or imported by Rancher.
published: 2021-06-23T17:57:10Z
last_modified: 2022-04-25T20:21:12Z
cves:
- CVE-2018-20321
ghsas:
- GHSA-9qq2-xhmc-h9qr
links:
context:
- https://github.com/advisories/GHSA-9qq2-xhmc-h9qr