Incorrect Privilege Assignment

CVE-2025-23391

High

9.1/10

Summary

A vulnerability has been identified within Rancher where a Restricted Administrator can change the Administrators' password and take over their accounts. A Restricted Administrator should not be allowed to change the password of more privileged users unless it includes the Manage Users permissions. Rancher deployments where the Restricted Administrator role is not being used are not affected by this vulnerability. This issue affects github.com/rancher/rancher package versions 2.8.x prior to 2.8.14, 2.9.x prior to 2.9.8, and 2.10.x prior to 2.10.4.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: CHANGED
User Interaction: NONE
Privileges Required: HIGH
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-266 - Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References

Advisory Timeline

Published Apr 11, 2025

Incorrect Privilege Assignment

CVE-2025-23391

Summary

CWE-266 - Incorrect Privilege Assignment

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS