CVE-2018-20321
First published: Wed Apr 10 2019(Updated: )
An issue was discovered in Rancher 2 through 2.1.5. Any project member with access to the default namespace can mount the netes-default service account in a pod, and then use that pod to execute administrative privileged commands against the k8s cluster. This could be mitigated by isolating the default namespace in a separate project, where only cluster admins can be given permissions to access. As of 2018-12-20, this bug affected ALL clusters created or imported by Rancher.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SUSE Rancher | >=2.0.0<=2.1.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-20321?
The severity of CVE-2018-20321 is critical with a CVSS score of 8.8.
How can I fix CVE-2018-20321 in Rancher 2?
To fix CVE-2018-20321 in Rancher 2, upgrade to a version higher than 2.1.5, such as 2.1.6 or 2.0.11, which address the security vulnerability.
What is the affected software for CVE-2018-20321?
The affected software for CVE-2018-20321 is SUSE Rancher version 2.0.0 through 2.1.5.
How can I mitigate CVE-2018-20321?
To mitigate CVE-2018-20321, isolate the default namespace and restrict access to the netes-default service account in the pod.
What is the Common Weakness Enumeration (CWE) for CVE-2018-20321?
The Common Weakness Enumeration (CWE) for CVE-2018-20321 is CWE-668.
- collector/nvd-index
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/event
- agent/type
- agent/description
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/suse
- canonical/suse rancher
- version/suse rancher/2.0.0
- version/suse rancher/2.1.5