Miggo Logo

CVE-2018-20321: Access Control Bypass

4.2

CVSS Score
3.1

Basic Information

EPSS Score
0.5905%
Published
6/23/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/rancher/ranchergo>= 2.0.0, < 2.1.62.1.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper cleanup of legacy ClusterRoleBindings (CRBs) that granted excessive privileges. The key issues were:

  1. The original reconcileProjectAccessToGlobalResourcesForDelete function in prtb_handler.go only checked for active ProjectRoleTemplateBindings (PRTBs) before deleting CRBs, but didn't properly validate ownership labels across all possible binding types.
  2. The system allowed CRBs with patterns like 'create-ns', 'namespaces-*', and 'promoted' roles to persist after user removal, which were later exploited for privilege escalation.
  3. The patch introduced new cleanup logic (noRemainingOwnerLabels, legacy CRB cleaner) and removed flawed checks, confirming the original functions' inadequacy in permission revocation. While the exact vulnerable function names aren't explicitly called out in descriptions, the code changes in prtb_handler.go and the CWE mapping to improper access control strongly indicate these functions as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in R*n***r * t*rou** *.*.*. *ny proj**t m*m**r wit* ****ss to t** ****ult n*m*sp*** **n mount t** n*t*s-****ult s*rvi** ***ount in * po*, *n* t**n us* t**t po* to *x**ut* **ministr*tiv* privil**** *omm*n*s ***inst t** k*s *lus

Reasoning

T** vuln*r**ility st*mm** *rom improp*r *l**nup o* l****y *lust*rRol**in*in*s (*R*s) t**t *r*nt** *x**ssiv* privil***s. T** k*y issu*s w*r*: *. T** ori*in*l `r**on*il*Proj**t****ssTo*lo**lR*sour**s*or**l*t*` *un*tion in prt*_**n*l*r.*o only ****k** *