CVE-2024-22032

MEDIUM

Rancher RKE1 - Plaintext Secret Exposure During Reconciliation

Title source: manual

Description

A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled. When reconciling, the Kube API secret values are written in plaintext on the AppliedSpec. Cluster owners, Cluster members, and Project members (for projects within the cluster), all have RBAC permissions to view the cluster object from the apiserver.

References (2)

Core 2

Core References

Issue Tracking

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22032

Vendor Advisory

https://github.com/rancher/rancher/security/advisories/GHSA-q6c7-56cq-g2wm

Scores

CVSS v3 6.5

EPSS 0.0006

EPSS Percentile 19.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (3)

rancher/rancher 2.7.0 - 2.7.14Go

SUSE/rancher 2.7.0 - 2.7.14

SUSE/rancher 2.8.0 - 2.8.5

Published Oct 16, 2024

Tracked Since Feb 18, 2026