CVE-2025-62879

Name of the Vulnerable Software and Affected Versions Rancher Backup Operator versions prior to 108.0.1+up9.0.1 Rancher Backup Operator versions prior to 107.1.2+up8.1.2 Rancher Backup Operator versions prior to 106.0.6+up7.0.5 Rancher Backup Operator versions prior to 105.0.6+up6.0.3

Description A flaw exists in the Rancher Backup Operator that can lead to the exposure of S3 tokens, specifically the accessKey and secretKey, within the logs of the rancher-backup-operator pod. The accessKey is exposed by default. The secretKey is exposed when the logging level is set to trace: true or debug: true. This leakage could allow unauthorized access to S3 resources.

Recommendations Versions prior to 108.0.1+up9.0.1 should be updated to a patched version. Versions prior to 107.1.2+up8.1.2 should be updated to a patched version. Versions prior to 106.0.6+up7.0.5 should be updated to a patched version. Versions prior to 105.0.6+up6.0.3 should be updated to a patched version. If updating is not possible, ensure that both debug and trace values are set to false to prevent potential leaks. Rotate S3 accessKey and secretKey after upgrading to a fixed version, especially if logs are exported.