CVE-2018-20321: Access Control Bypass
4.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.5905%
CWE
Published
6/23/2021
Updated
2/1/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/rancher/rancher | go | >= 2.0.0, < 2.1.6 | 2.1.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from improper cleanup of legacy ClusterRoleBindings (CRBs) that granted excessive privileges. The key issues were:
- The original
reconcileProjectAccessToGlobalResourcesForDelete
function in prtb_handler.go only checked for active ProjectRoleTemplateBindings (PRTBs) before deleting CRBs, but didn't properly validate ownership labels across all possible binding types. - The system allowed CRBs with patterns like 'create-ns', 'namespaces-*', and 'promoted' roles to persist after user removal, which were later exploited for privilege escalation.
- The patch introduced new cleanup logic (noRemainingOwnerLabels, legacy CRB cleaner) and removed flawed checks, confirming the original functions' inadequacy in permission revocation. While the exact vulnerable function names aren't explicitly called out in descriptions, the code changes in prtb_handler.go and the CWE mapping to improper access control strongly indicate these functions as the root cause.