CVE-2024-22032 — Sensitive Information Exposure in Rancher

CWE-200 — Sensitive Information Exposure CWE-256 — Plaintext Storage of a Password5 documents4 sources

Severity

7.1HIGHNVD

EPSS

0.1%

top 80.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Suse Rancher Github.com Rancher Rancher

Timeline

PublishedOct 16

Description

A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled. When reconciling, the Kube API secret values are written in plaintext on the AppliedSpec. Cluster owners, Cluster members, and Project members (for projects within the cluster), all have RBAC permissions to view the cluster object from the apiserver.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5suse/rancher2.7.0 — 2.7.14+1

▶Gogithub.com/rancher_rancher2.7.0 — 2.7.14+1

🔴Vulnerability Details

CVEList

Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec↗2024-10-16

▶

OSV

Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher↗2024-06-28

▶

GHSA

Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec↗2024-06-17

▶

OSV

Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec↗2024-06-17

▶