CVE-2024-58269

Name of the Vulnerable Software and Affected Versions Rancher Manager versions prior to 2.12.3

Description A security issue exists in Rancher Manager that allows exposure of sensitive information, including secret data, cluster import URLs, and registration tokens, to anyone with access to Rancher audit logs. This exposure occurs through two primary mechanisms: leakage of secret values within kubectl.kubernetes.io/last-applied-configuration annotations in audit logs, and the logging of full cluster registration manifests and tokens, including import URLs and registration tokens, during cluster import or creation. An attacker gaining access to these logs could recover plaintext secret values, re-enroll agents, compromise downstream clusters, and potentially achieve lateral movement. The API endpoints /v3/import/<token> c-m-xxxx.yaml are involved in the exposure of cluster registration tokens. The stringData field is used when creating Kubernetes Secrets, and the cleartext value is embedded in the kubectl.kubernetes.io/last-applied-configuration annotation.

Recommendations Versions prior to 2.12.3 should be upgraded to version 2.12.3 or later. If upgrading is not possible, create AuditPolicies to redact and filter sensitive requests as described in the Rancher documentation. Grant access to Rancher's logs only to trusted users.