CVE-2022-31247: 
Rancher vulnerability analysis and mitigation

An Improper Authorization vulnerability (CVE-2022-31247) was discovered in SUSE Rancher affecting versions prior to 2.6.7 and 2.5.16. The vulnerability was disclosed on August 19, 2022, and allows users with specific permissions to gain unauthorized owner privileges in projects across clusters (GitHub Advisory, SUSE Bugzilla).

The vulnerability stems from a flaw in the authorization logic related to cluster role template binding (CRTB) and project role template binding (PRTB). The issue affects only downstream clusters, not the local cluster. The CVSS v3.1 score is 9.1 (Critical) with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: High, User Interaction: None, Scope: Changed, and Impact scores (Confidentiality, Integrity, Availability) all rated as High (GitHub Advisory).

The vulnerability enables users with permissions to create/edit cluster role template bindings or project role template bindings to gain owner permission in another project within the same cluster or in projects on different downstream clusters. Users can escalate to cluster-owner permission on different downstream clusters if they already possess cluster-owner rights on at least one downstream cluster (GitHub Advisory).

The vulnerability has been patched in versions 2.5.16, 2.6.7, and later releases. Organizations should limit Rancher access to trusted users and audit their clusters for unauthorized CRTB and PRTB assignments. A detection script is available to identify potential CRTB and PRTB deviations. The ability to add users to projects and clusters should be granted selectively due to its highly-privileged nature (GitHub Advisory).