CVE-2023-22650: 
vulnerability analysis and mitigation

A vulnerability (CVE-2023-22650) has been identified in Rancher where the system does not automatically clean up users who have been deleted from the configured authentication provider (AP). This vulnerability affects all configurable Authentication Providers in Rancher versions >=2.7.0 < 2.7.14 and >=2.8.0 < 2.8.5. The issue was disclosed and patched in June 2024 (Rancher Advisory).

The vulnerability stems from Rancher's failure to synchronize user status changes with the authentication provider. When a user is deleted, disabled, or revoked from the configured authentication provider, Rancher continues to maintain their access tokens as valid. This affects all external authentication providers, but not the built-in User Management feature. The vulnerability has received a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity (NVD).

The vulnerability could allow adversaries to gain unauthorized access to Rancher systems using tokens from deleted or revoked users, as these access privileges remain active within Rancher even after being invalidated in the authentication provider. This creates a potential security gap where terminated or compromised accounts could still maintain system access (Rancher Advisory).

The issue has been patched in Rancher versions 2.7.14 and 2.8.5, introducing a new configurable user retention process. For unpatched systems, administrators should manually delete Rancher users via kubectl or through the UI as soon as those users are deleted from the Authentication Provider. The patch includes a user retention process that can be configured to run periodically and disable/delete inactive users based on their login activity (Rancher Advisory).