PT-2024-19166 · Rancher · Rancher Rke1
Pdellamore
·
Published
2024-06-17
·
Updated
2024-10-16
·
CVE-2024-22032
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Rancher RKE1 versions 2.7.0 through 2.7.13
Rancher RKE1 versions 2.8.0 through 2.8.4
Description
A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled. When reconciling, the Kube API secret values are written in plaintext on the AppliedSpec. Cluster owners, Cluster members, and Project members (for projects within the cluster), all have RBAC permissions to view the cluster object from the apiserver.
Recommendations
For Rancher RKE1 versions 2.7.0 through 2.7.13, update to version 2.7.14 or later to resolve the issue.
For Rancher RKE1 versions 2.8.0 through 2.8.4, update to version 2.8.5 or later to resolve the issue.
As a temporary workaround, consider restricting access to the cluster object from the apiserver to minimize the risk of exploitation.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Rancher Rke1