8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-25318

GHSA ID

GHSA-f9xf-jq4j-vqw4

EPSS Score

0.31839%

CWE

CWE-732

Published

4/24/2024

Updated

8/7/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-25318

CVE-2021-25318:
Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources

A vulnerability was discovered in Rancher versions 2.0 through the aforementioned fixed versions, where users were granted access to resources regardless of the resource's API group. For example Rancher should have allowed users access to apps.catalog.cattle.io, but instead incorrectly gave access to apps.*. Resource affected include:

Downstream clusters: apiservices clusters clusterrepos persistentvolumes storageclasses

Rancher management cluster apprevisions apps catalogtemplates catalogtemplateversions clusteralertgroups clusteralertrules clustercatalogs clusterloggings clustermonitorgraphs clusterregistrationtokens clusterroletemplatebindings clusterscans etcdbackups nodepools nodes notifiers pipelineexecutions pipelines pipelinesettings podsecuritypolicytemplateprojectbindings projectalertgroups projectalertrules projectcatalogs projectloggings projectmonitorgraphs projectroletemplatebindings projects secrets sourcecodeproviderconfigs

There is not a direct mitigation besides upgrading to the patched Rancher versions.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-25318

GHSA ID

GHSA-f9xf-jq4j-vqw4

EPSS Score

0.31839%

CWE

CWE-732

Published

4/24/2024

Updated

8/7/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/rancher/rancher	go	>= 2.0.0, < 2.4.16	2.4.16
github.com/rancher/rancher	go	>= 2.5.0, < 2.5.9	2.5.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability information describes an improper API group specification in Kubernetes RBAC resource creation, but does not include specific code references, commit diffs, or function names. While the root cause appears to be in RBAC rule generation logic (particularly around setting apiGroup fields), the available data sources (CVE, GHSA, and related issues) do not explicitly identify vulnerable function names or file paths. The vulnerability likely exists in Rancher's role template handling or RBAC resource generation code, but without concrete code examples or patch details, specific functions cannot be identified with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *is*ov*r** in R*n***r v*rsions *.* t*rou** t** **or*m*ntion** *ix** v*rsions, w**r* us*rs w*r* *r*nt** ****ss to r*sour**s r***r*l*ss o* t** r*sour**'s *PI *roup. *or *x*mpl* R*n***r s*oul* **v* *llow** us*rs ****ss to `*pps.**t*l

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s *n improp*r *PI *roup sp**i*i**tion in Ku**rn*t*s R*** r*sour** *r**tion, *ut *o*s not in*lu** sp**i*i* *o** r***r*n**s, *ommit *i**s, or *un*tion n*m*s. W*il* t** root **us* *pp**rs to ** in R*** rul*

8.8

Basic Information

Concerned about an active attack path?

CVE-2021-25318: Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-25318:
Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources

Vulnerability Intelligence
Miggo AI