CVE-2021-32001 Information

Description

A Missing Encryption of Sensitive Data vulnerability in k3s kde2 of SUSE Rancher allows any user with direct access to the datastore or a copy of a datastore backup to extract the cluster’s confidential keying material (cluster certificate authority private keys secrets encryption configuration passphrase etc) and decrypt it without having to know the token value. This issue affects: SUSE Rancher K3s version v1.19.12+k3s1 v1.20.8+k3s1 v1.21.2+k3s1 and prior versions; RKE2 version v1.19.12+rke2r1 v1.20.8+rke2r1 v1.21.2+rke2r1 and prior versions.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

https://bugzilla.suse.com/show_bug.cgi?id=1188453

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

6.5