CVE-2023-22649

Name of the Vulnerable Software and Affected Versions Rancher versions prior to 2.6.14 Rancher versions prior to 2.7.10 Rancher versions prior to 2.8.2

Description A vulnerability has been identified which may lead to sensitive data being leaked into Rancher's audit logs. The issue affects deployments with Rancher Audit Logging enabled and AUDIT LEVEL set to 1 or above. Sensitive data that may be leaked includes HTTP headers, API server calls returning Secret objects, raw command lines used by agents, and Kubeconfig contents. The severity of the vulnerability is tied to the logging strategy employed and the permissions of the leaked credentials.

Recommendations For versions prior to 2.6.14, update to version 2.6.14 or later to resolve the issue. For versions prior to 2.7.10, update to version 2.7.10 or later to resolve the issue. For versions prior to 2.8.2, update to version 2.8.2 or later to resolve the issue. As a temporary workaround, consider disabling the Audit feature or decreasing the AUDIT LEVEL to 0 to mitigate the issue. If AUDIT LEVEL 1 or above is required and updating to a patched version is not possible, ensure that the log is handled appropriately and not shared with other users or shipped into a log ingestion solution without proper RBAC enforcement.