CVE-2023-32191

9.9

Critical

Published:16 Oct 2024

Last updated:17 Jun 2026

Source:meissner@suse.de

Deferred

Weakness (CWE)

CWE-922CWE-922

CVSS Vector

v3.1

Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Changed
Confidentiality: High
Integrity: High
Availability: High

View on MITRE Find PoC on GitHub

Description

When RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin.

References

meissner@suse.de

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32191

meissner@suse.de

https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx