SUSE Rancher Watch Command Vulnerability Allowing Unauthorized Resource Access

A vulnerability in SUSE Rancher in the Steve API component allows users to issue watch commands for resources they are not authorized to access. This issue affects Rancher versions prior to 2175e09, 6e30359, and c744f0b. The vulnerability arises when users with generic permissions on a resource type can watch and access sensitive information, such as secret keys and API tokens, from resources they should not have visibility into.

Impact

Exploitation of this vulnerability allows unauthorized users to access and view sensitive information from resources they do not have permission to access, potentially including secret keys, signing certificates, and API tokens.

Remediation

Users are advised to upgrade to Rancher versions 2175e09 or later on the main branch, or versions 6e30359 or later on the release/v2.9 branch, or versions c744f0b or later on the release/v2.8 branch.