Critical severity9.9GHSA Advisory· Published Oct 16, 2024· Updated Apr 15, 2026
CVE-2023-32191
CVE-2023-32191
Description
When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/rancher/rkeGo | >= 1.4.18, < 1.4.19 | 1.4.19 |
github.com/rancher/rkeGo | >= 1.5.9, < 1.5.10 | 1.5.10 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-6gr4-52w6-vmqxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-32191ghsaADVISORY
- bugzilla.suse.com/show_bug.cginvdWEB
- github.com/rancher/rke/commit/cf49199481a1891909acb1384eed73a5c987d5bdghsaWEB
- github.com/rancher/rke/commit/f7485b8dce376db0fc15a7c3ceb3de7029c8d0cfghsaWEB
- github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqxnvdWEB
News mentions
0No linked articles in our index yet.