CVE-2022-45157
published 2024-11-13CVE-2022-45157: A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials…
PriorityP350critical9.1CVSS 3.1
AVNACLPRLUINSCCHILAL
EPSS
0.44%
35.0th percentile
A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | rancher_rancher | >= 2.7.0 < 2.8.9 | 2.8.9 |
| github.com | rancher_rancher | >= 2.9.0 < 2.9.3 | 2.9.3 |
| suse | rancher | >= 2.7.0 < 2.8.9 | 2.8.9 |
| suse | rancher | >= 2.9.0 < 2.9.3 | 2.9.3 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
nvdv4.08.5HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Exposure of vSphere's CPI and CSI credentials in Rancher in github.com/rancher/rancher
osv·2024-10-28
CVE-2022-45157 Exposure of vSphere's CPI and CSI credentials in Rancher in github.com/rancher/rancher
Exposure of vSphere's CPI and CSI credentials in Rancher in github.com/rancher/rancher
Exposure of vSphere's CPI and CSI credentials in Rancher in github.com/rancher/rancher.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.8.9, from v2.9.0 before v2.9.3.
OSV
Exposure of vSphere's CPI and CSI credentials in Rancher
osv·2024-10-25
CVE-2022-45157 [HIGH] Exposure of vSphere's CPI and CSI credentials in Rancher
Exposure of vSphere's CPI and CSI credentials in Rancher
### Impact
A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments.
The exposed passwords were accessible in the following objects:
- Can be accessed by users that are cluster members of the provisioned clusters:
- When provisioning a new cluster with the vSphere cloud provider through Rancher's UI (user interface), Cluster Templates and Terraform on the object `provisioning.ca
GHSA
Exposure of vSphere's CPI and CSI credentials in Rancher
ghsa·2024-10-25
CVE-2022-45157 [HIGH] CWE-522 Exposure of vSphere's CPI and CSI credentials in Rancher
Exposure of vSphere's CPI and CSI credentials in Rancher
### Impact
A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments.
The exposed passwords were accessible in the following objects:
- Can be accessed by users that are cluster members of the provisioned clusters:
- When provisioning a new cluster with the vSphere cloud provider through Rancher's UI (user interface), Cluster Templates and Terraform on the object `provisioning.ca
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-13
Published