CVE-2022-45157

CRITICAL

Rancher 2.7.0-2.8.8 and 2.9.0-2.9.2 - Insufficiently Protected vSphere CPI and CSI Credentials

Title source: llm

Description

A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments.

References (2)

Core 2

Core References

Issue Tracking

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-45157

Vendor Advisory

https://github.com/rancher/rancher/security/advisories/GHSA-xj7w-r753-vj8v

Scores

CVSS v3 9.1

EPSS 0.0010

EPSS Percentile 26.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-522

Status published

Products (3)

rancher/rancher 2.9.0 - 2.9.3Go

SUSE/rancher 2.7.0 - 2.8.9

SUSE/rancher 2.9.0 - 2.9.3

Published Nov 13, 2024

Tracked Since Feb 18, 2026