CVE-2024-22032
published 2024-10-16CVE-2024-22032: A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled. When reconciling…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.37%
28.7th percentile
A vulnerability has been identified in which an RKE1 cluster keeps
constantly reconciling when secrets encryption configuration is enabled.
When reconciling, the Kube API secret values are written in plaintext
on the AppliedSpec. Cluster owners, Cluster members, and Project members
(for projects within the cluster), all have RBAC permissions to view
the cluster object from the apiserver.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | rancher_rancher | >= 2.7.0 < 2.7.14 | 2.7.14 |
| github.com | rancher_rancher | >= 2.8.0 < 2.8.5 | 2.8.5 |
| suse | rancher | >= 2.7.0 < 2.7.14 | 2.7.14 |
| suse | rancher | >= 2.8.0 < 2.8.5 | 2.8.5 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher
osv·2024-06-28
CVE-2024-22032 Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher
Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher
Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.14, from v2.8.0 before v2.8.5.
GHSA
Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec
ghsa·2024-06-17
CVE-2024-22032 [HIGH] CWE-200 Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec
Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec
### Impact
This issue is only relevant to clusters provisioned using RKE1 with secrets encryption configuration enabled.
A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled (please see the [RKE documentation](https://rke.docs.rancher.com/config-options/secrets-encryption)). When reconciling, the Kube API secret values are written in plaintext on the AppliedSpec. Cluster owners, Cluster members, and Project members (for projects within the cluster), all have RBAC permissions to view the cluster object from the apiserver.
This could lead to an unauthorized user gaining access to the entire secrets encryption config specific f
OSV
Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec
osv·2024-06-17
CVE-2024-22032 [HIGH] Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec
Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec
### Impact
This issue is only relevant to clusters provisioned using RKE1 with secrets encryption configuration enabled.
A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled (please see the [RKE documentation](https://rke.docs.rancher.com/config-options/secrets-encryption)). When reconciling, the Kube API secret values are written in plaintext on the AppliedSpec. Cluster owners, Cluster members, and Project members (for projects within the cluster), all have RBAC permissions to view the cluster object from the apiserver.
This could lead to an unauthorized user gaining access to the entire secrets encryption config specific f
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-10-16
Published