Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2021-32001

Published: Jul 28, 2021 | Modified: Nov 14, 2022
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2021-32001
CWEhttps://cwe.mitre.org/data/definitions/NVD-Other.html

K3s in SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup, to extract the clusters confidential keying material (cluster certificate authority private keys, secrets encryption configuration passphrase, etc.) and decrypt it, without having to know the token value. This issue affects: SUSE Rancher K3s version v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1 and prior versions; RKE2 version v1.19.12+rke2r1, v1.20.8+rke2r1, v1.21.2+rke2r1 and prior versions.

Affected Software

Name Vendor Start Version End Version
Rancher_k3s Suse 1.19.12 (including) 1.19.12 (including)
Rancher_k3s Suse 1.20.8 (including) 1.20.8 (including)
Rancher_k3s Suse 1.21.2 (including) 1.21.2 (including)
Rancher_rke2 Suse 1.19.12 (including) 1.19.12 (including)
Rancher_rke2 Suse 1.20.8 (including) 1.20.8 (including)
Rancher_rke2 Suse 1.21.2 (including) 1.21.2 (including)

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use