8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-36775

GHSA ID

GHSA-28g7-896h-695v

EPSS Score

0.2071%

CWE

CWE-284

Published

4/24/2024

Updated

8/7/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-36775

CVE-2021-36775: Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication

Impact

This vulnerability only affects customers using group based authentication in Rancher versions up to and including 2.4.17, 2.5.11 and 2.6.2.

When removing a Project Role associated to a group from a project, the bindings that grant access to cluster scoped resources for those subjects do not get deleted. This happens due to an incomplete authorization logic check. A user who is a member of an affected group with authenticated access to Rancher could use this to access resources they should no longer have access to. The exposure level will depend on the original permission level granted to the affected project role.

Patches

Patched versions include releases 2.4.18, 2.5.12, 2.6.3 and later versions.

Workarounds

Limit access in Rancher to trusted users. There is not a direct mitigation besides upgrading to the patched Rancher versions.

References

Cluster and project roles documentation for Rancher 2.6, 2.5 and 2.4.

For more information

If you have any questions or comments about this advisory:

Reach out to SUSE Rancher Security team for security related inquiries.
Open an issue in Rancher repository.
Verify our support matrix and product support lifecycle.

(GitHub Advisory)

8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-36775

GHSA ID

GHSA-28g7-896h-695v

EPSS Score

0.2071%

CWE

CWE-284

Published

4/24/2024

Updated

8/7/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/rancher/rancher	go	<= 2.4.17	2.4.18
github.com/rancher/rancher	go	>= 2.5.0, <= 2.5.11	2.5.12
github.com/rancher/rancher	go	>= 2.6.0, <= 2.6.2	2.6.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incomplete cleanup of role bindings when group-based ProjectRoleTemplateBindings are removed. The core function managing PRTB reconciliation (ensureBindings in prtb_controller.go) likely contains the flawed logic that only checks user-based bindings for deletion, neglecting group-based ones. This matches the CWE-284 (Improper Access Control) pattern described, where residual permissions persist due to incomplete revocation logic. The assessment aligns with Rancher's RBAC architecture and the described impact scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility only *****ts *ustom*rs usin* *roup **s** *ut**nti**tion in R*n***r v*rsions up to *n* in*lu*in* *.*.**, *.*.** *n* *.*.*. W**n r*movin* * Proj**t Rol* *sso*i*t** to * *roup *rom * proj**t, t** *in*in*s t**t *r*nt ****ss

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* *l**nup o* rol* *in*in*s w**n *roup-**s** Proj**tRol*T*mpl*t**in*in*s *r* r*mov**. T** *or* *un*tion m*n**in* PRT* r**on*ili*tion (`*nsur**in*in*s` in prt*_*ontroll*r.*o) lik*ly *ont*ins t** *l*w** lo*i* t**t o

8

Basic Information

Concerned about an active attack path?

CVE-2021-36775: Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication

Impact

Patches

Workarounds

References

For more information

8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI