{"id":"CVE-2022-31247","details":"An Improper Authorization vulnerability in SUSE Rancher, allows any user who has permissions to create/edit cluster role template bindings or project role template bindings (such as cluster-owner, manage cluster members, project-owner and manage project members) to gain owner permission in another project in the same cluster or in another project on a different downstream cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.6.7; Rancher versions prior to 2.5.16.","aliases":["GHSA-6x34-89p7-95wg"],"modified":"2026-03-13T21:59:29.398483Z","published":"2022-09-07T09:15:08.747Z","related":["GHSA-6x34-89p7-95wg"],"references":[{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=1199730"},{"type":"EVIDENCE","url":"https://github.com/rancher/rancher/security/advisories/GHSA-6x34-89p7-95wg"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rancher/rancher","events":[{"introduced":"65f3525cdc1167872af4140d45f3153698450c52"},{"fixed":"3f4e21bca44391b582601799de34075729c19783"},{"introduced":"df2432ad895c9d6be0e47e0d6d62a4c3dc8f08e5"},{"fixed":"e5c6f0f6a44dde287e9423acd99cf906fbda0aa2"}],"database_specific":{"versions":[{"introduced":"2.5.0"},{"fixed":"2.5.16"},{"introduced":"2.6.0"},{"fixed":"2.6.7"}]}}],"versions":["v2.5.0","v2.5.0-rc9","v2.5.1","v2.5.1-rc1","v2.5.10","v2.5.10-rc1","v2.5.10-rc2","v2.5.10-rc3","v2.5.10-rc4","v2.5.10-rc5","v2.5.10-rc6","v2.5.10-rc7","v2.5.12","v2.5.12-rc1","v2.5.12-rc2","v2.5.12-rc3","v2.5.12-rc4","v2.5.12-rc5","v2.5.12-rc6","v2.5.12-rc7","v2.5.12-rc8","v2.5.13","v2.5.13-rc1","v2.5.13-rc2","v2.5.13-rc3","v2.5.13-rc4","v2.5.14","v2.5.14-rc1","v2.5.14-rc2","v2.5.16-rc1","v2.5.16-rc2","v2.5.16-rc3","v2.5.2","v2.5.2-rc","v2.5.2-rc1","v2.5.2-rc10","v2.5.2-rc2","v2.5.2-rc3","v2.5.2-rc4","v2.5.2-rc5","v2.5.2-rc6","v2.5.2-rc7","v2.5.2-rc8","v2.5.2-rc9","v2.5.4","v2.5.4-rc1","v2.5.4-rc2","v2.5.4-rc3","v2.5.4-rc4","v2.5.4-rc5","v2.5.4-rc6","v2.5.4-rc7","v2.5.4-rc8","v2.5.4-rc9","v2.5.6","v2.5.6-rc1","v2.5.6-rc2","v2.5.6-rc3","v2.5.6-rc4","v2.5.6-rc5","v2.5.6-rc6","v2.5.6-rc7","v2.5.6-rc8","v2.5.6-rc9","v2.5.8","v2.5.8-rc10","v2.5.8-rc11","v2.5.8-rc12","v2.5.8-rc13","v2.5.8-rc14","v2.5.8-rc15","v2.5.8-rc16","v2.5.8-rc17","v2.5.8-rc18","v2.5.8-rc19","v2.5.8-rc2","v2.5.8-rc20","v2.5.8-rc21","v2.5.8-rc3","v2.5.8-rc4","v2.5.8-rc5","v2.5.8-rc6","v2.5.8-rc7","v2.5.8-rc8","v2.5.8-rc9","v2.6.0","v2.6.0-rc10","v2.6.1","v2.6.1-harvester1","v2.6.1-harvester2","v2.6.1-rc1","v2.6.1-rc10","v2.6.1-rc11","v2.6.1-rc12","v2.6.1-rc13","v2.6.1-rc2","v2.6.1-rc3","v2.6.1-rc4","v2.6.1-rc5","v2.6.1-rc6","v2.6.1-rc7","v2.6.1-rc8","v2.6.1-rc9","v2.6.3","v2.6.3-harvester1","v2.6.3-rc1","v2.6.3-rc10","v2.6.3-rc11","v2.6.3-rc2","v2.6.3-rc3","v2.6.3-rc4","v2.6.3-rc5","v2.6.3-rc6","v2.6.3-rc7","v2.6.3-rc8","v2.6.3-rc9","v2.6.4-alpha1","v2.6.4-alpha2","v2.6.4-alpha3","v2.6.4-rc1","v2.6.4-rc10","v2.6.4-rc11","v2.6.4-rc12","v2.6.4-rc13","v2.6.4-rc2","v2.6.4-rc3","v2.6.4-rc4","v2.6.4-rc5","v2.6.4-rc6","v2.6.4-rc8","v2.6.4-rc9","v2.6.5","v2.6.5-alpha1","v2.6.5-rc1","v2.6.5-rc10","v2.6.5-rc11","v2.6.5-rc12","v2.6.5-rc2","v2.6.5-rc3","v2.6.5-rc4","v2.6.5-rc5","v2.6.5-rc6","v2.6.5-rc8","v2.6.5-rc9","v2.6.6-rc1","v2.6.7-rc1","v2.6.7-rc2","v2.6.7-rc3","v2.6.7-rc4","v2.6.7-rc5","v2.6.7-rc6","v2.6.7-rc7","v2.6.7-rc8","v2.6.7-rc9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31247.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}]}