Miggo Logo

CVE-2021-36775: Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication

8

CVSS Score
3.1

Basic Information

EPSS Score
0.2071%
Published
4/24/2024
Updated
8/7/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/rancher/ranchergo<= 2.4.172.4.18
github.com/rancher/ranchergo>= 2.5.0, <= 2.5.112.5.12
github.com/rancher/ranchergo>= 2.6.0, <= 2.6.22.6.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incomplete cleanup of role bindings when group-based ProjectRoleTemplateBindings are removed. The core function managing PRTB reconciliation (ensureBindings in prtb_controller.go) likely contains the flawed logic that only checks user-based bindings for deletion, neglecting group-based ones. This matches the CWE-284 (Improper Access Control) pattern described, where residual permissions persist due to incomplete revocation logic. The assessment aligns with Rancher's RBAC architecture and the described impact scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility only *****ts *ustom*rs usin* *roup **s** *ut**nti**tion in R*n***r v*rsions up to *n* in*lu*in* *.*.**, *.*.** *n* *.*.*. W**n r*movin* * Proj**t Rol* *sso*i*t** to * *roup *rom * proj**t, t** *in*in*s t**t *r*nt ****ss

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* *l**nup o* rol* *in*in*s w**n *roup-**s** Proj**tRol*T*mpl*t**in*in*s *r* r*mov**. T** *or* *un*tion m*n**in* PRT* r**on*ili*tion (`*nsur**in*in*s` in prt*_*ontroll*r.*o) lik*ly *ont*ins t** *l*w** lo*i* t**t o