CVE-2021-36775: Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication
8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.2071%
CWE
Published
4/24/2024
Updated
8/7/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/rancher/rancher | go | <= 2.4.17 | 2.4.18 |
github.com/rancher/rancher | go | >= 2.5.0, <= 2.5.11 | 2.5.12 |
github.com/rancher/rancher | go | >= 2.6.0, <= 2.6.2 | 2.6.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from incomplete cleanup of role bindings when group-based ProjectRoleTemplateBindings are removed. The core function managing PRTB reconciliation (ensureBindings
in prtb_controller.go) likely contains the flawed logic that only checks user-based bindings for deletion, neglecting group-based ones. This matches the CWE-284 (Improper Access Control) pattern described, where residual permissions persist due to incomplete revocation logic. The assessment aligns with Rancher's RBAC architecture and the described impact scenario.