Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/rancher/rke2: GHSA-x7xj-jvwp-97rv #3222

Closed
GoVulnBot opened this issue Oct 25, 2024 · 1 comment
Closed
Assignees
Labels

Comments

@GoVulnBot
Copy link

Advisory GHSA-x7xj-jvwp-97rv references a vulnerability in the following Go modules:

Module
github.com/rancher/rke2

Description:

Impact

A vulnerability has been identified whereby RKE2 deployments in Windows nodes have weak Access Control Lists (ACL), allowing BUILTIN\Users or NT AUTHORITY\Authenticated Users to view or edit sensitive files which could lead to privilege escalation.

The affected files include binaries, scripts, configuration and log files:

C:\etc\rancher\node\password
C:\var\lib\rancher\rke2\agent\logs\kubelet.log
C:\var\lib\rancher\rke2\data\v1.**.**-rke2r*-windows-amd64-*\bin\*
C:\var\lib\rancher\rke2\bin\*

**This vulnerability is exclusive to RKE2 in Windows environments. Linux env...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/rancher/rke2
      non_go_versions:
        - introduced: 1.27.0
        - fixed: 1.27.15
        - introduced: 1.28.0
        - fixed: 1.28.11
        - introduced: 1.29.0
        - fixed: 1.29.6
        - introduced: 1.30.0
        - fixed: 1.30.2
      vulnerable_at: 0.0.1-alpha.7
summary: |-
    RKE2 allows privilege escalation in Windows nodes due to Insecure Access Control
    Lists in github.com/rancher/rke2
ghsas:
    - GHSA-x7xj-jvwp-97rv
references:
    - advisory: https://github.com/advisories/GHSA-x7xj-jvwp-97rv
    - advisory: https://github.com/rancher/rke2/security/advisories/GHSA-x7xj-jvwp-97rv
    - web: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32197
    - web: https://github.com/rancher/rancher/security/advisories/GHSA-7h8m-pvw3-5gh4
source:
    id: GHSA-x7xj-jvwp-97rv
    created: 2024-10-25T20:02:06.556941467Z
review_status: UNREVIEWED

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/622835 mentions this issue: data/reports: add 16 unreviewed reports

@tatianab tatianab self-assigned this Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants