CVE-2022-45157

Aliases:GHSA-xj7w-r753-vj8vGO-2024-3223

Advisory lineage Upstream: 0 Downstream: 3

Downstream

OPENSUSE-SU-2024:0350-1 OPENSUSE-SU-2024:14447-1 SUSE-SU-2024:3911-1

Deferred

Published: 13 Nov 2024, 13:39

Last modified:13 Nov 2024, 14:39

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.1 CRITICAL

v3.1 (cve.org)

EPSS Score

0.1% LOW

0% probability +0.03%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

13 Nov 2024, 13:39

Published

Vulnerability first disclosed

13 Nov 2024, 14:39

Last Modified

Vulnerability information updated

Description

A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments.

CVSS Metrics

v4.0•HIGH•Score: 8.5CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L
v4.0•HIGH•Score: 8.5CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
v3.1•CRITICAL•Score: 9.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

EPSS Trends

Current EPSS score: 0.10%• Percentile: 27%

Techniques & Countermeasures

CWE-522•Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Affected Systems

github.com/rancher•rancher
≥ 2.9.0, < 2.9.3 | ≥ 2.7.0, < 2.8.9 | all
suse•rancher
≥ 2.9.0, < 2.9.3 | ≥ 2.7.0, < 2.8.9