CVE-2021-36782

Name of the Vulnerable Software and Affected Versions SUSE Rancher versions prior to 2.5.16 SUSE Rancher versions prior to 2.6.7

Description The issue is related to the cleartext storage of sensitive information in SUSE Rancher, allowing authenticated users to retrieve plaintext versions of sensitive data using the Kubernetes API. This affects various roles, including Cluster Owners, Cluster Members, Project Owners, Project Members, and User Base. The exposed credentials are visible on several endpoints, including "/v1/management.cattle.io.catalogs", "/v1/management.cattle.io.cluster", and others. The exposure of Rancher's serviceAccountToken allows any standard user to escalate its privileges to cluster administrator in Rancher. Sensitive fields have been addressed by this security fix, including Notifier.SMTPConfig.Password, Notifier.WechatConfig.Secret, and others.

Recommendations For SUSE Rancher versions prior to 2.5.16, upgrade to version 2.5.16 or later. For SUSE Rancher versions prior to 2.6.7, upgrade to version 2.6.7 or later. As a temporary workaround, limit access in Rancher to trusted users. It is highly advised to rotate Rancher's serviceAccountToken after upgrading to a patched version. The local and downstream clusters should be checked for potential unrecognized services, users, and API keys. Review for potential leaked credentials and change them if deemed necessary.