CVE-2025-23389 Common Vulnerabilities and Exposures

Upstream information

CVE-2025-23389 at MITRE

Description

A Improper Access Control vulnerability in SUSE rancher allows a local user to impersonate other identities through SAML Authentication on first login.
This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3.

Upstream Security Advisories:

https://github.com/rancher/rancher/security/advisories/GHSA-mq23-vvg7-xfm4

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
CVSS detail	CNA (SUSE)
Base Score	8.4
Vector	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Attack Vector	Network
Attack Complexity	High
Privileges Required	Low
User Interaction	None
Scope	Changed
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	Low
CVSSv3 Version	3.1

SUSE Bugzilla entry: 1236780 [NEW]

SUSE Security Advisories:

GHSA-mq23-vvg7-xfm4, published Thu Feb 27 18:56:14 CET 2025

List of released packages

Product(s)	Fixed package version(s)	References
Container suse/sl-micro/6.1/baremetal-os-container:latest	`update-alternatives >= 1.22.0-slfo.1.1_2.1`
openSUSE Tumbleweed	`govulncheck-vulndb >= 0.0.20250312T181707-1.1`	Patchnames: openSUSE-Tumbleweed-2025-14889

SUSE Timeline for this CVE

CVE page created: Tue Feb 4 14:00:33 2025
CVE page last modified: Fri Oct 24 12:34:28 2025