CVE-2021-32001

MEDIUM

SUSE Rancher K3s and RKE2 - Unprotected Sensitive Data Exposure via Datastore Access

Title source: llm
STIX 2.1

Description

K3s in SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup, to extract the cluster's confidential keying material (cluster certificate authority private keys, secrets encryption configuration passphrase, etc.) and decrypt it, without having to know the token value. This issue affects: SUSE Rancher K3s version v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1 and prior versions; RKE2 version v1.19.12+rke2r1, v1.20.8+rke2r1, v1.21.2+rke2r1 and prior versions.

References (1)

Core 1
Core References
Issue Tracking, Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1188453

Scores

CVSS v3 6.5
EPSS 0.0030
EPSS Percentile 21.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-311
Status published
Products (6)
suse/rancher_k3s 1.19.12
suse/rancher_k3s 1.20.8
suse/rancher_k3s 1.21.2
suse/rancher_rke2 1.19.12
suse/rancher_rke2 1.20.8
suse/rancher_rke2 1.21.2
Published Jul 28, 2021
Tracked Since Feb 18, 2026