CVE-2023-32194: 
vulnerability analysis and mitigation

A vulnerability (CVE-2023-32194) has been identified in Rancher versions >=2.6.0,<2.6.14, >=2.7.0,<2.7.10, and >=2.8.0,<2.8.2. The vulnerability occurs when granting a create or global role for a resource type of "namespaces"; regardless of the API group, the subject will receive permissions for core namespaces. This can lead to unauthorized access, creation, updating, or deletion of namespaces in the project (Rancher Advisory).

The vulnerability is classified as CWE-269 (Improper Privilege Management) with a CVSS v3.1 base score of 7.2 (High). The attack vector is Network-based with Low attack complexity, requiring High privileges but No user interaction. The scope is Unchanged, with High impact on Confidentiality, Integrity, and Availability (NVD).

The vulnerability can lead to unauthorized namespace management, including the ability to read or update namespaces in projects where the user has "manage-namespaces" permission. This could result in namespace movement between projects, potentially leading to secret leakage if the targeted project contains secrets. Additionally, it can enable abuse of resource quotas in the targeted project (Rancher Advisory).

The vulnerability has been patched in Rancher versions 2.6.14, 2.7.10, and 2.8.2. There are no direct mitigation strategies available besides updating Rancher to a patched version (Rancher Advisory).