Incorrect Authorization

Summary

A vulnerability has been identified within Rancher, where a user with the ability to create a project on a certain cluster can create a project with the same name as an existing project in a different cluster. This results in the user gaining access to the other project in a different cluster, leading to a privilege escalation. This occurs because the namespace used on the local cluster to store related resources (such as "PRTBs" and "secrets") is the name of the project. This issue affects versions 2.8.0-alpha1 through 2.9.8, 2.10.0-alpha1 through 2.10.4, and 2.11.0-alpha1 through 2.11.0. As a workaround If you can't upgrade to a fixed version, please make sure that: Users are not allowed to create projects with the same object names from another cluster. To identify if this security issue could have been abused within your system, you need to find if there are any projects with the same name but on different clusters. To do that, run the following command in the local cluster as an administrator: "kubectl get projects -A -o=custom-columns='NAME:metadata.name' | sort | uniq -c" That command will list all project names and show the instances of each name. Any project with more than 1 instance is affected by this security issue. To remedy the situation, the projects will need to be deleted and re-created to ensure no namespace collisions happen. While it would be possible to delete all but 1 of the projects with the same name, this is unadvisable because a user could have given themselves access to the wrong project.