Miggo Logo

CVE-2021-25318: Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.31839%
Published
4/24/2024
Updated
8/7/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/rancher/ranchergo>= 2.0.0, < 2.4.162.4.16
github.com/rancher/ranchergo>= 2.5.0, < 2.5.92.5.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability information describes an improper API group specification in Kubernetes RBAC resource creation, but does not include specific code references, commit diffs, or function names. While the root cause appears to be in RBAC rule generation logic (particularly around setting apiGroup fields), the available data sources (CVE, GHSA, and related issues) do not explicitly identify vulnerable function names or file paths. The vulnerability likely exists in Rancher's role template handling or RBAC resource generation code, but without concrete code examples or patch details, specific functions cannot be identified with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *is*ov*r** in R*n***r v*rsions *.* t*rou** t** **or*m*ntion** *ix** v*rsions, w**r* us*rs w*r* *r*nt** ****ss to r*sour**s r***r*l*ss o* t** r*sour**'s *PI *roup. *or *x*mpl* R*n***r s*oul* **v* *llow** us*rs ****ss to `*pps.**t*l

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s *n improp*r *PI *roup sp**i*i**tion in Ku**rn*t*s R*** r*sour** *r**tion, *ut *o*s not in*lu** sp**i*i* *o** r***r*n**s, *ommit *i**s, or *un*tion n*m*s. W*il* t** root **us* *pp**rs to ** in R*** rul*