CVE-2021-36782
published 2022-09-07CVE-2021-36782: A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project…
PriorityP264critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
2.93%
85.3th percentile
A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes API to retrieve plaintext version of sensitive data. This issue affects: SUSE Rancher Rancher versions prior to 2.5.16; Rancher versions prior to 2.6.7.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | rancher_rancher | >= 2.5.0 < 2.5.17 | 2.5.17 |
| github.com | rancher_rancher | >= 2.5.0 < 2.5.16 | 2.5.16 |
| github.com | rancher_rancher | >= 2.6.0 < 2.6.10 | 2.6.10 |
| github.com | rancher_rancher | >= 2.6.0 < 2.6.7 | 2.6.7 |
| github.com | rancher_rancher | >= 2.7.0 < 2.7.1 | 2.7.1 |
| suse | rancher | >= 2.5.0 < 2.5.16 | 2.5.16 |
| suse | rancher | >= 2.6.0 < 2.6.7 | 2.6.7 |
| suse | rancher | >= Rancher < 2.5.16 | 2.5.16 |
| suse | rancher | >= Rancher < 2.6.7 | 2.6.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor Kubernetes API read access to cluster.management.cattle.io objects, which may indicate attempts to retrieve plaintext credentials, API keys, or service account tokens stored on Cluster objects in Rancher. ↗
- →A Metasploit auxiliary module exists for this CVE (rancher_authenticated_api_cred_exposure). Detect exploitation attempts by monitoring for authenticated API enumeration of Rancher cluster objects, particularly GET requests to cluster management API endpoints by low-privileged roles (Cluster Members, Project Members, User Base). ↗
- ·Affected versions are Rancher prior to 2.5.16 and prior to 2.6.7. Instances running Rancher 2.5.15 or earlier, and 2.6.6 or earlier, are vulnerable to plaintext credential exposure via the Kubernetes API. ↗
- ·Sensitive fields including passwords, API keys, and Rancher's service account token used to provision clusters are stored in plaintext on Kubernetes Cluster objects, accessible to any authenticated user with read access. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ghsa9.9CRITICAL
osv9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Plaintext storage of sensitive data in Rancher API and cluster.management.cattle.io objects
osv·2023-01-25·CVSS 9.9
CVE-2022-43757 [CRITICAL] Plaintext storage of sensitive data in Rancher API and cluster.management.cattle.io objects
Plaintext storage of sensitive data in Rancher API and cluster.management.cattle.io objects
### Impact
This issue affects Rancher versions from 2.5.0 up to and including 2.5.16, from 2.6.0 up to and including 2.6.9 and 2.7.0. It was discovered that the security advisory CVE-2021-36782 (GHSA-g7j7-h4q8-8w2f), previously released by Rancher, missed addressing some sensitive fields, secret tokens, encryption keys, and SSH keys that were still being stored in plaintext directly on Kubernetes objects like `Clusters`.
The exposed credentials are visible in Rancher to authenticated `Cluster Owners`, `Cluster Members`, `Project Owners` and `Project Members` of that cluster on the endpoints:
- `/v1/management.cattle.io.cluster`
- `/v1/management.cattle.io.clustertemplaterevisions`
The remaining
GHSA
Rancher cattle-token is predictable
ghsa·2023-01-25·CVSS 9.9
CVE-2022-43755 [CRITICAL] CWE-330 Rancher cattle-token is predictable
Rancher cattle-token is predictable
### Impact
An issue was discovered in Rancher versions up to and including 2.6.9 and 2.7.0, where the `cattle-token` secret, used by the `cattle-cluster-agent`, is predictable. Even after the token is regenerated, it will have the same value. This issue is not present in Rancher 2.5 releases.
The `cattle-token` is used by Rancher's `cattle-cluster-agent` to connect to the Kubernetes API of Rancher provisioned downstream clusters. The problem occurs because the `cattle-token` secret does not use any random value in its composition, which causes it to always be regenerated with the same value. This can pose a serious problem if the token is compromised and needs to be recreated for security purposes.
The usage of the `cattle-token` by an unauthorized u
OSV
Rancher cattle-token is predictable
osv·2023-01-25·CVSS 9.9
CVE-2022-43755 [CRITICAL] Rancher cattle-token is predictable
Rancher cattle-token is predictable
### Impact
An issue was discovered in Rancher versions up to and including 2.6.9 and 2.7.0, where the `cattle-token` secret, used by the `cattle-cluster-agent`, is predictable. Even after the token is regenerated, it will have the same value. This issue is not present in Rancher 2.5 releases.
The `cattle-token` is used by Rancher's `cattle-cluster-agent` to connect to the Kubernetes API of Rancher provisioned downstream clusters. The problem occurs because the `cattle-token` secret does not use any random value in its composition, which causes it to always be regenerated with the same value. This can pose a serious problem if the token is compromised and needs to be recreated for security purposes.
The usage of the `cattle-token` by an unauthorized u
GHSA
Plaintext storage of sensitive data in Rancher API and cluster.management.cattle.io objects
ghsa·2023-01-25·CVSS 9.9
CVE-2022-43757 [CRITICAL] CWE-200 Plaintext storage of sensitive data in Rancher API and cluster.management.cattle.io objects
Plaintext storage of sensitive data in Rancher API and cluster.management.cattle.io objects
### Impact
This issue affects Rancher versions from 2.5.0 up to and including 2.5.16, from 2.6.0 up to and including 2.6.9 and 2.7.0. It was discovered that the security advisory CVE-2021-36782 (GHSA-g7j7-h4q8-8w2f), previously released by Rancher, missed addressing some sensitive fields, secret tokens, encryption keys, and SSH keys that were still being stored in plaintext directly on Kubernetes objects like `Clusters`.
The exposed credentials are visible in Rancher to authenticated `Cluster Owners`, `Cluster Members`, `Project Owners` and `Project Members` of that cluster on the endpoints:
- `/v1/management.cattle.io.cluster`
- `/v1/management.cattle.io.clustertemplaterevisions`
The remaining
OSV
Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials
osv·2022-09-23
CVE-2021-36782 [CRITICAL] Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials
Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials
### Impact
An issue was discovered in Rancher versions up to and including 2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys and Rancher's service account token (used to provision clusters), were stored in plaintext directly on Kubernetes objects like `Clusters`, for example `cluster.management.cattle.io`. Anyone with read access to those objects in the Kubernetes API could retrieve the plaintext version of those sensitive data.
The exposed credentials are visible in Rancher to authenticated `Cluster Owners`, `Cluster Members`, `Project Owners`, `Project Members` and `User Base` on the endpoints:
- `/v1/management.cattle.io.catalogs`
- `/v1/management.cattle.io.
GHSA
Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials
ghsa·2022-09-23
CVE-2021-36782 [CRITICAL] CWE-312 Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials
Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials
### Impact
An issue was discovered in Rancher versions up to and including 2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys and Rancher's service account token (used to provision clusters), were stored in plaintext directly on Kubernetes objects like `Clusters`, for example `cluster.management.cattle.io`. Anyone with read access to those objects in the Kubernetes API could retrieve the plaintext version of those sensitive data.
The exposed credentials are visible in Rancher to authenticated `Cluster Owners`, `Cluster Members`, `Project Owners`, `Project Members` and `User Base` on the endpoints:
- `/v1/management.cattle.io.catalogs`
- `/v1/management.cattle.io.
No detection rules found.
No writeups or analysis indexed.
2022-09-07
Published