CVE-2023-32191 Information

Description

When RKE provisions a cluster it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin.

Reference

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32191 https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx