8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-36775

CVE-2021-36775: Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication

Impact

This vulnerability only affects customers using group based authentication in Rancher versions up to and including 2.4.17, 2.5.11 and 2.6.2.

When removing a Project Role associated to a group from a project, the bindings that grant access to cluster scoped resources for those subjects do not get deleted. This happens due to an incomplete authorization logic check. A user who is a member of an affected group with authenticated access to Rancher could use this to access resources they should no longer have access to. The exposure level will depend on the original permission level granted to the affected project role.

Patches

Patched versions include releases 2.4.18, 2.5.12, 2.6.3 and later versions.

Workarounds

Limit access in Rancher to trusted users. There is not a direct mitigation besides upgrading to the patched Rancher versions.

References

Cluster and project roles documentation for Rancher 2.6, 2.5 and 2.4.

For more information

If you have any questions or comments about this advisory:

Reach out to SUSE Rancher Security team for security related inquiries.
Open an issue in Rancher repository.
Verify our support matrix and product support lifecycle.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-36775

CVE-2021-36775:

8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/rancher/rancher	go	<= 2.4.17	2.4.18
github.com/rancher/rancher	go	>= 2.5.0, <= 2.5.11	2.5.12
github.com/rancher/rancher	go	>= 2.6.0, <= 2.6.2	2.6.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incomplete cleanup of role bindings when group-based ProjectRoleTemplateBindings are removed. The core function managing PRTB reconciliation (ensureBindings in prtb_controller.go) likely contains the flawed logic that only checks user-based bindings for deletion, neglecting group-based ones. This matches the CWE-284 (Improper Access Control) pattern described, where residual permissions persist due to incomplete revocation logic. The assessment aligns with Rancher's RBAC architecture and the described impact scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-36775: Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication

Impact

Patches

Workarounds

References

For more information

CVE-2021-36775:

8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2021-36775: Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication

Impact

Patches

Workarounds

References

For more information

8

8

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI