4.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-20321

GHSA ID

GHSA-9qq2-xhmc-h9qr

EPSS Score

0.5905%

CWE

CWE-288

Published

6/23/2021

Updated

2/1/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-20321

CVE-2018-20321: Access Control Bypass

An issue was discovered in Rancher 2 through 2.1.5. Any project member with access to the default namespace can mount the netes-default service account in a pod, and then use that pod to execute administrative privileged commands against the k8s cluster. This could be mitigated by isolating the default namespace in a separate project, where only cluster admins can be given permissions to access. As of 2018-12-20, this bug affected ALL clusters created or imported by Rancher.

(GitHub Advisory)

4.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-20321

GHSA ID

GHSA-9qq2-xhmc-h9qr

EPSS Score

0.5905%

CWE

CWE-288

Published

6/23/2021

Updated

2/1/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/rancher/rancher	go	>= 2.0.0, < 2.1.6	2.1.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper cleanup of legacy ClusterRoleBindings (CRBs) that granted excessive privileges. The key issues were:

The original reconcileProjectAccessToGlobalResourcesForDelete function in prtb_handler.go only checked for active ProjectRoleTemplateBindings (PRTBs) before deleting CRBs, but didn't properly validate ownership labels across all possible binding types.
The system allowed CRBs with patterns like 'create-ns', 'namespaces-*', and 'promoted' roles to persist after user removal, which were later exploited for privilege escalation.
The patch introduced new cleanup logic (noRemainingOwnerLabels, legacy CRB cleaner) and removed flawed checks, confirming the original functions' inadequacy in permission revocation. While the exact vulnerable function names aren't explicitly called out in descriptions, the code changes in prtb_handler.go and the CWE mapping to improper access control strongly indicate these functions as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in R*n***r * t*rou** *.*.*. *ny proj**t m*m**r wit* ****ss to t** ****ult n*m*sp*** **n mount t** n*t*s-****ult s*rvi** ***ount in * po*, *n* t**n us* t**t po* to *x**ut* **ministr*tiv* privil**** *omm*n*s ***inst t** k*s *lus

Reasoning

T** vuln*r**ility st*mm** *rom improp*r *l**nup o* l****y *lust*rRol**in*in*s (*R*s) t**t *r*nt** *x**ssiv* privil***s. T** k*y issu*s w*r*: *. T** ori*in*l `r**on*il*Proj**t****ssTo*lo**lR*sour**s*or**l*t*` *un*tion in prt*_**n*l*r.*o only ****k** *

4.2

Basic Information

Concerned about an active attack path?

CVE-2018-20321: Access Control Bypass

4.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI