{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-32199","assignerOrgId":"404e59f5-483d-4b8a-8e7a-e67604dd8afb","state":"PUBLISHED","assignerShortName":"suse","dateReserved":"2023-05-04T08:30:59.323Z","datePublished":"2025-10-29T14:54:04.162Z","dateUpdated":"2025-10-29T15:26:02.274Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","packageName":"github.com/rancher/rancher","product":"rancher","vendor":"SUSE","versions":[{"lessThan":"0.0.0-20251014212116-7faa74a968c2","status":"affected","version":"0","versionType":"semver"}]}],"datePublic":"2025-10-24T13:05:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>A vulnerability has been identified within Rancher \nManager, where after removing a custom GlobalRole that gives \nadministrative access or the corresponding binding, the user still \nretains access to clusters.&nbsp;This only affects custom Global Roles that&nbsp;have a <code>*</code> on <code>*</code> in <code>*</code> rule for resources or have a <code>*</code> on <code>*</code> rule for non-resource URLs</p>"}],"value":"A vulnerability has been identified within Rancher \nManager, where after removing a custom GlobalRole that gives \nadministrative access or the corresponding binding, the user still \nretains access to clusters. This only affects custom Global Roles that have a * on * in * rule for resources or have a * on * rule for non-resource URLs"}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-281","description":"CWE-281: Improper Preservation of Permissions","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"404e59f5-483d-4b8a-8e7a-e67604dd8afb","shortName":"suse","dateUpdated":"2025-10-29T14:57:27.222Z"},"references":[{"url":"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32199"},{"url":"https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59"}],"source":{"discovery":"UNKNOWN"},"title":"Rancher user retains access to clusters despite Global Role removal","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-10-29T15:13:25.439463Z","id":"CVE-2023-32199","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-29T15:26:02.274Z"}}]}}