CVE-2022-45157

CRITICAL

Rancher < 2.9.3 - Insufficiently Protected Credentials

Title source: rule

Description

A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments.

References (2)

[Issue Tracking] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-45157

[Vendor Advisory] https://github.com/rancher/rancher/security/advisories/GHSA-xj7w-r753-vj8v

Scores

CVSS v3 9.1

EPSS 0.0007

EPSS Percentile 21.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Classification

CWE

CWE-522

Status draft

Affected Products (1)

rancher/rancher < 2.9.3Go

Timeline

Published Nov 13, 2024

Tracked Since Feb 18, 2026