CVE-2021-25318: Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.31839%
CWE
Published
4/24/2024
Updated
8/7/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/rancher/rancher | go | >= 2.0.0, < 2.4.16 | 2.4.16 |
github.com/rancher/rancher | go | >= 2.5.0, < 2.5.9 | 2.5.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The provided vulnerability information describes an improper API group specification in Kubernetes RBAC resource creation, but does not include specific code references, commit diffs, or function names. While the root cause appears to be in RBAC rule generation logic (particularly around setting apiGroup
fields), the available data sources (CVE
, GHSA
, and related issues) do not explicitly identify vulnerable function names or file paths. The vulnerability likely exists in Rancher's role template handling or RBAC resource generation code, but without concrete code examples or patch details, specific functions cannot be identified with high confidence.