Rancher vSphere Vulnerability: Plaintext Storage of CPI/CSI Credentials

CVE-2022-45157

9.1CRITICAL

Key Information

Vendor: Suse
Status: Rancher
Vendor: CVE Published:; 13 November 2024

Summary

A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments.

Affected Version(s)

rancher < 2.9.3

rancher < 2.8.9

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published.
Nov 13, 2024
Vulnerability Reserved.
Nov 11, 2022

Collectors

NVD DatabaseMitre Database