Impact A vulnerability in Rancher has been discovered, leading to a local user impersonation through SAML Authentication on first login. The issue occurs when a SAML authentication provider (AP) is configured (e.g. Keycloak). A newly created AP user can impersonate any user on Rancher by manipulating cookie values during their initial login to Rancher. This vulnerability could also be exploited if a Rancher user (present on the AP) is removed, either manually or automatically via the User Retention feature with delete-inactive-user-after. More precisely, Rancher validates only a subset of input from the SAML assertion request; however, it trusts and uses values that are not properly validated. An attacker could then configure the saml_Rancher_UserID cookie and the saml_Rancher_Action cookie so that the user principal from the AP will be added to the user specified by the attacker (from saml_Rancher_UserID). Rancher can then be deceived by setting saml_Rancher_UserID to the admin's user ID and saml_Rancher_Action to testAndEnable, thereby executing the vulnerable code path and leading to privilege escalation. Note that the vulnerability impacts all SAML APs available in Rancher. However the following Rancher deployments are not affected : Rancher deployments not using SAML-based AP. Rancher deployments using SAML-based AP, where all SAML users are already signed in and linked to a Rancher account. Please consult the associated MITRE ATT&CK – Technique – Access Token…Read More
GHSA-MQ23-VVG7-XFM4 Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login
