CVE-2021-36782 — Cleartext Storage of Sensitive Info in Rancher

CWE-312 — Cleartext Storage of Sensitive Info CWE-200 — Sensitive Information Exposure CWE-256 — Plaintext Storage of a Password5 documents4 sources

Severity

9.9CRITICALNVD

EPSS

79.6%

top 0.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Suse Rancher Github.com Rancher Rancher

Timeline

PublishedSep 7

Latest updateJan 25

Description

A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes API to retrieve plaintext version of sensitive data. This issue affects: SUSE Rancher Rancher versions prior to 2.5.16; Rancher versions prior to 2.6.7.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages3 packages

▶CVEListV5suse/rancherRancher — 2.5.16+1

▶NVDsuse/rancher2.5.0 — 2.5.16+1

▶Gogithub.com/rancher_rancher2.5.0 — 2.5.16+1

🔴Vulnerability Details

GHSA

Plaintext storage of sensitive data in Rancher API and cluster.management.cattle.io objects↗2023-01-25

▶

OSV

Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials↗2022-09-23

▶

GHSA

Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials↗2022-09-23

▶

CVEList

Rancher: Plaintext storage and exposure of credentials in Rancher API and cluster.management.cattle.io object↗2022-09-07

▶