CVE-2023-22648: 
Rancher vulnerability analysis and mitigation

A privilege management vulnerability (CVE-2023-22648) was discovered in SUSE Rancher that affects versions from 2.6.7 before 2.6.13 and from 2.7.0 before 2.7.4. The vulnerability specifically impacts Rancher instances with Azure AD integration enabled, where permission changes in Azure AD are not reflected for users during active sessions. This vulnerability was disclosed on June 1, 2023, and has been assigned a CVSS v3.1 base score of 8.0 (High) (NVD, GitHub Advisory).

The vulnerability stems from an improper privilege management mechanism that affects users accessing Rancher through various methods including the Rancher UI, kubectl with downloaded kubeconfig, and tokens created via the Rancher UI Create API Key feature. The issue persists even after Rancher Manager pod restarts, with permissions remaining cached. The vulnerability has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability allows users to retain their previous permissions in Rancher even after their privileges have been reduced or revoked in Azure AD. This means users could maintain access to Rancher resources even after being removed from privileged groups in Azure AD, potentially leading to unauthorized access to sensitive resources. The only way for updated permissions to take effect is for users to log out and log back in (GitHub Advisory).

The vulnerability has been patched in Rancher versions 2.6.13 and 2.7.4. There are no direct mitigation strategies available besides updating to a patched version. Organizations using affected versions should upgrade to the patched versions as soon as possible (GitHub Advisory).