Information Exposure Affecting github.com/rancher/rancher package, versions <2.5.16 >=2.6.0 <2.6.7
Threat Intelligence
EPSS
5.61% (94th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMRANCHERRANCHER-3018572
- published 7 Sep 2022
- disclosed 7 Sep 2022
- credit Florian Struck, Marco Stuurman
Introduced: 7 Sep 2022
CVE-2021-36782 Open this link in a new tabHow to fix?
Upgrade github.com/rancher/rancher to version 2.5.16, 2.6.7 or higher.
Overview
Affected versions of this package are vulnerable to Information Exposure due to storing sensitive fields like passwords, API keys, and Rancher's service account token (used to provision clusters) in plaintext directly on Kubernetes objects.
This vulnerability allows Cluster Owners, Cluster Members, Project Owners, Project Members, and User Base to use the Kubernetes API to retrieve plaintext versions of sensitive data via the following endpoints:
- /v1/management.cattle.io.catalogs
- /v1/management.cattle.io.cluster
- /v1/management.cattle.io.clustertemplates
- /v1/management.cattle.io.notifiers
- /v1/project.cattle.io.sourcecodeproviderconfig
- /k8s/clusters/local/apis/management.cattle.io/v3/catalogs
- /k8s/clusters/local/apis/management.cattle.io/v3/clusters
- /k8s/clusters/local/apis/management.cattle.io/v3/clustertemplates
- /k8s/clusters/local/apis/management.cattle.io/v3/notifiers
- /k8s/clusters/local/apis/project.cattle.io/v3/sourcecodeproviderconfigs
References
CVSS Scores
version 3.1