Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-qu4v-8bvw-pqdf
Summary
Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core'
### Impact
A vulnerability has been identified when granting a `create` or `*` **global role** for a resource type of "namespaces"; no matter the API group, the subject will receive `*` permissions for core namespaces. This can lead to someone being capable of accessing, creating, updating, or deleting a namespace in the project. This includes reading or updating a namespace in the project so that it is available in other projects in which the user has the "manage-namespaces" permission or updating another namespace in which the user has normal "update" permissions to be moved into the project.

The expected behavior is to not be able to create, update, or delete a namespace in the project or move another namespace into the project since the user doesn't have any permissions on namespaces in the core API group.

Moving a namespace to another project could lead to leakage of secrets, in case the targeted project has secrets. And also can lead to the namespace being able to abuse the resource quotas of the targeted project.

### Patches
Patched versions include releases `2.6.14`, `2.7.10` and `2.8.2`.

### Workarounds
There is no direct mitigation besides updating Rancher to a patched version.

### References
If you have any questions or comments about this advisory:

- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security-related inquiries.
- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.
- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).
Aliases
0
alias CVE-2023-32194
1
alias GHSA-c85r-fwc7-45vc
Fixed_packages
Affected_packages
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-32194
reference_id
reference_type
scores
0
value 0.00122
scoring_system epss
scoring_elements 0.30863
published_at 2026-06-09T12:55:00Z
1
value 0.00122
scoring_system epss
scoring_elements 0.30844
published_at 2026-06-08T12:55:00Z
2
value 0.00122
scoring_system epss
scoring_elements 0.30875
published_at 2026-06-07T12:55:00Z
3
value 0.00122
scoring_system epss
scoring_elements 0.30909
published_at 2026-06-06T12:55:00Z
4
value 0.00122
scoring_system epss
scoring_elements 0.30942
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-32194
1
reference_url https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32194
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-16T15:55:34Z/
url https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32194
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/rancher/rancher
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rancher/rancher
4
reference_url https://github.com/rancher/rancher/commit/2f7113dc32d4f1f5375a1ae09b65be58f6801a15
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rancher/rancher/commit/2f7113dc32d4f1f5375a1ae09b65be58f6801a15
5
reference_url https://github.com/rancher/rancher/commit/649fdad268d8ecc748e9fdcca2ddcfdc900f9eaa
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rancher/rancher/commit/649fdad268d8ecc748e9fdcca2ddcfdc900f9eaa
6
reference_url https://github.com/rancher/rancher/commit/d4a0ff5e779e3cc5f14d77ce57620e1326ab1c22
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rancher/rancher/commit/d4a0ff5e779e3cc5f14d77ce57620e1326ab1c22
7
reference_url https://github.com/rancher/rancher/security/advisories/GHSA-c85r-fwc7-45vc
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-16T15:55:34Z/
url https://github.com/rancher/rancher/security/advisories/GHSA-c85r-fwc7-45vc
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-32194
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-32194
Weaknesses
0
cwe_id 269
name Improper Privilege Management
description The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Exploits
Severity_range_score7.0 - 8.9
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-qu4v-8bvw-pqdf