{"id":"CVE-2025-23391","details":"A Incorrect Privilege Assignment vulnerability in SUSE rancher allows a Restricted Administrator to change the password of Administrators and take over their accounts.\nThis issue affects rancher: from 2.8.0 before 2.8.14, from 2.9.0 before 2.9.8, from 2.10.0 before 2.10.4.","aliases":["GHSA-8p83-cpfg-fj3g","GO-2025-3586"],"modified":"2026-04-10T05:22:53.179779Z","published":"2025-04-11T11:15:42.747Z","related":["openSUSE-SU-2025:14970-1"],"references":[{"type":"ADVISORY","url":"https://github.com/rancher/rancher/security/advisories/GHSA-8p83-cpfg-fj3g"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-23391"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rancher/rancher","events":[{"introduced":"72f58378bf03122a9651c9bd3b4c143a57e8fdaa"},{"fixed":"d704a664ad62446de65e482ab712ae6b07f1b6e0"},{"introduced":"9e0cc54e7e3a924cf0ed5c5d4db0a6e53805c75e"},{"fixed":"887911671e61169f90df0e1229044e01861f382f"},{"introduced":"df45e368c82d4027410fa4700371982b9236b7c8"},{"fixed":"3fdfa8c24361429803baa3fc4be739cfd4e0263a"}],"database_specific":{"versions":[{"introduced":"2.8.0"},{"fixed":"2.8.14"},{"introduced":"2.9.0"},{"fixed":"2.9.8"},{"introduced":"2.10.0"},{"fixed":"2.10.4"}]}}],"versions":["v2.10.0","v2.10.1","v2.10.1-alpha1","v2.10.1-rc1","v2.10.2","v2.10.2-alpha1","v2.10.2-alpha2","v2.10.2-alpha3","v2.10.2-alpha4","v2.10.2-rc1","v2.10.3","v2.10.3-alpha1","v2.10.3-alpha2","v2.10.3-rc1","v2.10.4-alpha1","v2.10.4-alpha2","v2.10.4-alpha3","v2.10.4-alpha4","v2.10.4-rc1","v2.8.0","v2.8.0-rc5","v2.8.10","v2.8.10-alpha1","v2.8.10-alpha2","v2.8.10-rc1","v2.8.10-rc2","v2.8.11","v2.8.11-alpha1","v2.8.11-rc1","v2.8.12","v2.8.12-alpha1","v2.8.12-alpha2","v2.8.12-rc1","v2.8.13","v2.8.13-alpha1","v2.8.13-rc1","v2.8.14-alpha1","v2.8.14-alpha2","v2.8.14-rc1","v2.8.3","v2.8.3-alpha1","v2.8.3-alpha2","v2.8.3-rc1","v2.8.3-rc2","v2.8.3-rc3","v2.8.3-rc4","v2.8.3-rc5","v2.8.3-rc6","v2.8.3-rc7","v2.8.3-rc8","v2.8.4","v2.8.4-alpha1","v2.8.4-rc1","v2.8.4-rc2","v2.8.4-rc3","v2.8.4-rc4","v2.8.4-rc5","v2.8.6","v2.8.6-alpha1","v2.8.6-alpha2","v2.8.6-alpha3","v2.8.6-alpha4","v2.8.6-alpha5","v2.8.6-alpha6","v2.8.6-rc1","v2.8.6-rc2","v2.8.6-rc3","v2.8.6-rc4","v2.8.7","v2.8.7-rc1","v2.8.7-rc10","v2.8.7-rc2","v2.8.7-rc3","v2.8.7-rc4","v2.8.7-rc5","v2.8.7-rc6","v2.8.7-rc7","v2.8.7-rc8","v2.8.7-rc9","v2.8.8","v2.8.8-alpha1","v2.8.8-alpha2","v2.8.8-rc1","v2.8.9","v2.8.9-alpha1","v2.8.9-alpha10","v2.8.9-alpha2","v2.8.9-alpha3","v2.8.9-alpha4","v2.8.9-alpha5","v2.8.9-alpha6","v2.8.9-alpha8","v2.8.9-alpha9","v2.8.9-rc1","v2.8.9-rc2","v2.9.0","v2.9.0-rc6","v2.9.1","v2.9.1-alpha1","v2.9.1-alpha2","v2.9.1-rc1","v2.9.1-rc2","v2.9.1-rc3","v2.9.1-rc4","v2.9.1-rc5","v2.9.1-rc6","v2.9.2","v2.9.2-alpha1","v2.9.2-alpha2","v2.9.2-alpha3","v2.9.2-alpha4","v2.9.2-alpha5","v2.9.2-alpha6","v2.9.2-alpha7","v2.9.2-rc1","v2.9.3","v2.9.3-alpha1","v2.9.3-alpha2","v2.9.3-alpha3","v2.9.3-alpha4","v2.9.3-alpha5","v2.9.3-alpha6","v2.9.3-alpha7","v2.9.3-rc1","v2.9.3-rc2","v2.9.4","v2.9.4-alpha1","v2.9.4-alpha2","v2.9.4-alpha3","v2.9.4-alpha4","v2.9.4-alpha5","v2.9.4-hotfix-schema-leak.1","v2.9.4-rc1","v2.9.4-rc2","v2.9.4-rc3","v2.9.5","v2.9.5-alpha1","v2.9.5-rc1","v2.9.6","v2.9.6-alpha1","v2.9.6-alpha2","v2.9.6-alpha3","v2.9.6-rc1","v2.9.7","v2.9.7-alpha1","v2.9.7-alpha2","v2.9.7-alpha3","v2.9.7-rc1","v2.9.8-alpha1","v2.9.8-alpha2","v2.9.8-rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-23391.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}]}