—

GO-2024-3222

RKE2 allows privilege escalation in Windows nodes due to Insecure Access Control Lists in github.com/rancher/rke2

Details

RKE2 allows privilege escalation in Windows nodes due to Insecure Access Control Lists in github.com/rancher/rke2.

NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.

(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)

The additional affected modules and versions are: github.com/rancher/rke2 from v1.27.0 before v1.27.15, from v1.28.0 before v1.28.11, from v1.29.0 before v1.29.6, from v1.30.0 before v1.30.2.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/rancher/rke2

Introduced in: 0

No fixed version published yet for github.com/rancher/rke2 (go modules). Pin to a known-safe version or switch to an alternative.

References

https://github.com/rancher/rke2/security/advisories/GHSA-x7xj-jvwp-97rv [ADVISORY]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32197 [WEB]
https://github.com/rancher/rancher/security/advisories/GHSA-7h8m-pvw3-5gh4 [WEB]