Detections
Analytics
CVE-2023-32196
medium
Description
A vulnerability has been identified whereby privilege escalation checks are not properly enforced for RoleTemplate objects when external=true, which in specific scenarios can lead to privilege escalation. The bug in the webhook rule resolver ignores rules from a ClusterRole for external RoleTemplates when its context is set to either project or is left empty. The fix introduces a new field to the RoleTemplate CRD named ExternalRules . The new field will be used to resolve rules directly from the RoleTemplate . Additionally, rules from the backing ClusterRole will be used if ExternalRules is not provided. The new field will always take precedence when it is set, and serve as the source of truth for rules used when creating Rancher resources on the local cluster. Please note that this is a breaking change for external RoleTemplates , when context is set to project or empty and the backing ClusterRole does not exist, as this was not previously required. Important: The fix is automatically applied when upgrading to the release lines 2.8 and above. For users still on the 2.7 release line, after the upgrade to a patched version, users are required to opt-in to the fix by enabling the external-rules feature flag . Please consult the associated MITRE ATT&CK - Technique - Exploitation for Privilege Escalation for further information about this category of attack.