CVE-2024-22032 MEDIUM

CVE-2024-22032: Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec

Vendor Suse

Product rancher

Weakness CWE-200 · Info exposure

Published October 16, 2024

Last update October 16, 2024

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled. When reconciling, the Kube API secret values are written in plaintext on the AppliedSpec. Cluster owners, Cluster members, and Project members (for projects within the cluster), all have RBAC permissions to view the cluster object from the apiserver.

Key dates

02Disclosure timeline

October 16, 2024 CVE published

October 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-22032 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

Identifiers

CVE CVE-2024-22032

CWE CWE-200

CVSS 6.5 / MEDIUM

Affected versions

Vendor Suse

Product rancher

Affected ≥ 2.7.0 and < 2.7.14

Vendor Suse

Product rancher

Affected ≥ 2.8.0 and < 2.8.5

CVE-2024-22032: Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec

01Description

02Disclosure timeline

03References

04Related CVE