Rancher Manager Global Role Removal Vulnerability Allows Unauthorized Cluster Access

A vulnerability exists in Rancher Manager versions 2.9.0, 2.10.0, 2.11.0 prior to 2.11.7, and 2.12.0 prior to 2.12.3. After deleting a custom GlobalRole with administrative privileges or its binding, users may still have access to clusters. This issue specifically impacts custom Global Roles that grant extensive resource permissions or unrestricted access to non-resource URLs. When such a role is assigned, a ClusterRoleBinding is created, linking the user to the cluster-admin role on all clusters. However, upon deletion of the GlobalRole or unbinding it, the ClusterRoleBinding remains, allowing continued access to the clusters.

Impact

The vulnerability allows users to retain access to clusters even after their administrative GlobalRole has been removed, potentially leading to unauthorized actions within the cluster.

Remediation

To address this vulnerability, users should upgrade to Rancher versions 2.12.3 or 2.11.7. If an upgrade is not possible, manually identify and delete orphaned ClusterRoleBindings that are no longer associated with a valid GlobalRole.