Login Sign Up

CVE-2023-22651

9.9 CRITICAL

📋 TL;DR

A privilege escalation vulnerability in SUSE Rancher allows attackers to bypass admission webhook security checks and gain elevated privileges in Kubernetes clusters. This only affects users who upgraded from Rancher 2.6.x or 2.7.x to version 2.7.2, not fresh installations of 2.7.2.

💻 Affected Systems

Products:
  • SUSE Rancher
Versions: 2.7.2 (only when upgraded from 2.6.x or 2.7.x)
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects upgrade paths from 2.6.x or 2.7.x to 2.7.2. Fresh installations of 2.7.2 are not vulnerable.

📦 What is this software?

Rancher by Suse

View all CVEs affecting Rancher →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full cluster compromise allowing attackers to deploy malicious workloads, access sensitive data, and disrupt operations across all managed Kubernetes resources.

🟠

Likely Case

Privilege escalation enabling unauthorized resource creation, configuration changes, and potential lateral movement within the cluster.

🟢

If Mitigated

Limited impact with proper network segmentation, RBAC restrictions, and admission control policies in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated access to Rancher and knowledge of the upgrade path vulnerability. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.3 or later

Vendor Advisory: https://github.com/rancher/rancher/security/advisories/GHSA-6m9f-pj6w-w87g

Restart Required: Yes

Instructions:

1. Backup Rancher configuration and data. 2. Upgrade to Rancher 2.7.3 or later. 3. Restart Rancher services. 4. Verify admission webhook functionality.

🔧 Temporary Workarounds

Reinstall Rancher 2.7.2

linux

Perform fresh installation of Rancher 2.7.2 instead of upgrading from vulnerable versions

Backup current configuration
Uninstall existing Rancher
Install Rancher 2.7.2 fresh
Restore configuration from backup

🧯 If You Can't Patch

  • Implement strict network policies to isolate Rancher management plane
  • Enforce least privilege RBAC and audit all admission webhook configurations

🔍 How to Verify

Check if Vulnerable:

Check Rancher version and upgrade history: if running 2.7.2 and upgraded from 2.6.x or 2.7.x, you are vulnerable.

Check Version:

kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}' | grep -o 'rancher/rancher:v[0-9.]*'

Verify Fix Applied:

Verify Rancher version is 2.7.3 or later and admission webhooks are functioning correctly.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized admission webhook configuration changes
  • Unexpected privilege escalation events in audit logs
  • Failed admission webhook validations

Network Indicators:

  • Unusual API calls to admission webhook endpoints
  • Suspicious traffic patterns to Rancher management API

SIEM Query:

source="rancher" AND (event="admission_webhook_failure" OR event="privilege_escalation")

📊 Metadata

CVE ID: CVE-2023-22651
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-269
Published: May 4, 2023
Last Updated: January 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-22651, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)