x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-j4vr-pcmw-hx59

Advisory [GHSA-j4vr-pcmw-hx59](https://github.com/advisories/GHSA-j4vr-pcmw-hx59) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/rancher/rancher](https://pkg.go.dev/github.com/rancher/rancher) |

Description:
### Impact
A vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or the corresponding binding, the user still retains access to clusters.
This only affects custom Global Roles that:
- Have a `*` on `*` in `*` rule for resources
- Have a `*` on `*` rule for non-resource URLs

For example
```yaml
apiVersion: management.cattle.io/v3
kind: GlobalRole
metadata:
  name: custom-admin
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - '*'
  - nonResourceURLs:
      - '*'
    verbs:
      - '*'
...

References:
- ADVISORY: https://github.com/advisories/GHSA-j4vr-pcmw-hx59
- ADVISORY: https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59
- FIX: https://github.com/rancher/rancher/pull/52303

Cross references:
- github.com/rancher/rancher appears in 52 other report(s):
  - data/excluded/GO-2022-0439.yaml    (https://github.com/golang/vulndb/issues/439)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2022-0464.yaml    (https://github.com/golang/vulndb/issues/464)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2022-0551.yaml    (https://github.com/golang/vulndb/issues/551)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2022-0605.yaml    (https://github.com/golang/vulndb/issues/605)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2022-0610.yaml    (https://github.com/golang/vulndb/issues/610)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2022-0973.yaml    (https://github.com/golang/vulndb/issues/973)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2022-0974.yaml    (https://github.com/golang/vulndb/issues/974)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2022-0975.yaml    (https://github.com/golang/vulndb/issues/975)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2023-1511.yaml    (https://github.com/golang/vulndb/issues/1511)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2023-1513.yaml    (https://github.com/golang/vulndb/issues/1513)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2023-1514.yaml    (https://github.com/golang/vulndb/issues/1514)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2023-1516.yaml    (https://github.com/golang/vulndb/issues/1516)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2023-1517.yaml    (https://github.com/golang/vulndb/issues/1517)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2023-1518.yaml    (https://github.com/golang/vulndb/issues/1518)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2023-1736.yaml    (https://github.com/golang/vulndb/issues/1736)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2023-1814.yaml    (https://github.com/golang/vulndb/issues/1814)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2023-1815.yaml    (https://github.com/golang/vulndb/issues/1815)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2023-1816.yaml    (https://github.com/golang/vulndb/issues/1816)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2023-1825.yaml    (https://github.com/golang/vulndb/issues/1825)    EFFECTIVELY_PRIVATE
  - data/excluded/GO-2023-1905.yaml    (https://github.com/golang/vulndb/issues/1905)    EFFECTIVELY_PRIVATE
  - data/reports/GO-2022-0644.yaml    (https://github.com/golang/vulndb/issues/644)
  - data/reports/GO-2022-0755.yaml    (https://github.com/golang/vulndb/issues/755)
  - data/reports/GO-2023-1973.yaml    (https://github.com/golang/vulndb/issues/1973)
  - data/reports/GO-2023-1991.yaml    (https://github.com/golang/vulndb/issues/1991)
  - data/reports/GO-2024-2535.yaml    (https://github.com/golang/vulndb/issues/2535)
  - data/reports/GO-2024-2537.yaml    (https://github.com/golang/vulndb/issues/2537)
  - data/reports/GO-2024-2760.yaml    (https://github.com/golang/vulndb/issues/2760)
  - data/reports/GO-2024-2761.yaml    (https://github.com/golang/vulndb/issues/2761)
  - data/reports/GO-2024-2762.yaml    (https://github.com/golang/vulndb/issues/2762)
  - data/reports/GO-2024-2764.yaml    (https://github.com/golang/vulndb/issues/2764)
  - data/reports/GO-2024-2768.yaml    (https://github.com/golang/vulndb/issues/2768)
  - data/reports/GO-2024-2771.yaml    (https://github.com/golang/vulndb/issues/2771)
  - data/reports/GO-2024-2778.yaml    (https://github.com/golang/vulndb/issues/2778)
  - data/reports/GO-2024-2784.yaml    (https://github.com/golang/vulndb/issues/2784)
  - data/reports/GO-2024-2929.yaml    (https://github.com/golang/vulndb/issues/2929)
  - data/reports/GO-2024-2931.yaml    (https://github.com/golang/vulndb/issues/2931)
  - data/reports/GO-2024-2932.yaml    (https://github.com/golang/vulndb/issues/2932)
  - data/reports/GO-2024-3161.yaml    (https://github.com/golang/vulndb/issues/3161)
  - data/reports/GO-2024-3220.yaml    (https://github.com/golang/vulndb/issues/3220)
  - data/reports/GO-2024-3221.yaml    (https://github.com/golang/vulndb/issues/3221)
  - data/reports/GO-2024-3223.yaml    (https://github.com/golang/vulndb/issues/3223)
  - data/reports/GO-2024-3280.yaml    (https://github.com/golang/vulndb/issues/3280)
  - data/reports/GO-2025-3391.yaml    (https://github.com/golang/vulndb/issues/3391)
  - data/reports/GO-2025-3489.yaml    (https://github.com/golang/vulndb/issues/3489)
  - data/reports/GO-2025-3490.yaml    (https://github.com/golang/vulndb/issues/3490)
  - data/reports/GO-2025-3491.yaml    (https://github.com/golang/vulndb/issues/3491)
  - data/reports/GO-2025-3586.yaml    (https://github.com/golang/vulndb/issues/3586)
  - data/reports/GO-2025-3647.yaml    (https://github.com/golang/vulndb/issues/3647)
  - data/reports/GO-2025-3923.yaml    (https://github.com/golang/vulndb/issues/3923)
  - data/reports/GO-2025-3982.yaml    (https://github.com/golang/vulndb/issues/3982)
  - data/reports/GO-2025-3983.yaml    (https://github.com/golang/vulndb/issues/3983)
  - data/reports/GO-2025-3984.yaml    (https://github.com/golang/vulndb/issues/3984)

See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/rancher/rancher
      versions:
        - fixed: 0.0.0-20251014212116-7faa74a968c2
summary: Rancher user retains access to clusters despite Global Role removal in github.com/rancher/rancher
cves:
    - CVE-2023-32199
ghsas:
    - GHSA-j4vr-pcmw-hx59
references:
    - advisory: https://github.com/advisories/GHSA-j4vr-pcmw-hx59
    - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59
    - fix: https://github.com/rancher/rancher/pull/52303
notes:
    - fix: 'github.com/rancher/rancher: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
    id: GHSA-j4vr-pcmw-hx59
    created: 2025-10-24T16:01:34.616182227Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-j4vr-pcmw-hx59 #4073

Impact

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-j4vr-pcmw-hx59 #4073

Description

Impact

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions