Chris Wayne

Name of the Vulnerable Software and Affected Versions: SUSE Rancher K3s versions v1.19.12+k3s1 through v1.21.2+k3s1 and prior versions RKE2 versions v1.19.12+rke2r1 through v1.21.2+rke2r1 and prior versions Description: A Missing Encryption of Sensitive Data issue allows any user with direct access to the datastore, or a copy of a datastore backup, to extract the cluster's confidential keying material (cluster certificate authority private keys, secrets encryption configuration passphrase, etc.) and decrypt it, without having to know the token value. Recommendations: For SUSE Rancher K3s versions v1.19.12+k3s1 through v1.21.2+k3s1 and prior versions, consider restricting access to the datastore and backups to minimize the risk of exploitation. For RKE2 versions v1.19.12+rke2r1 through v1.21.2+rke2r1 and prior versions, consider implementing additional security measures to protect the cluster's confidential keying material. At the moment, there is no information about a newer version that contains a fix for this vulnerability.