CVE-2021-36783 - OpenCVE

A Insufficiently Protected Credentials vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners and Project Members to read credentials, passwords and API tokens that have been stored in cleartext and exposed via API endpoints. This issue affects: SUSE Rancher Rancher versions prior to 2.6.4; Rancher versions prior to 2.5.13.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Suse	Rancher

Configuration 1 [-]

OR	cpe:2.3:a:suse:rancher::::::::
	cpe:2.3:a:suse:rancher::::::::

No data.

References

Link	Providers
https://bugzilla.suse.com/show_bug.cgi?id=1193990
https://github.com/rancher/rancher/security/advisories/GHSA-8w87-58w6-hfv8

History

No history.

MITRE

Status: PUBLISHED

Assigner: suse

Published: 2022-09-07T08:20:16.958779Z

Updated: 2024-09-16T18:13:16.201Z

Reserved: 2021-07-19T00:00:00

Link: CVE-2021-36783

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-07T09:15:08.600

Modified: 2023-03-23T17:20:14.077

Link: CVE-2021-36783

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-36783", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "assignerShortName": "suse", "datePublished": "2022-09-07T08:20:16.958779Z", "dateUpdated": "2024-09-16T18:13:16.201Z", "dateReserved": "2021-07-19T00:00:00"}, "containers": {"cna": {"title": "Rancher: Failure to properly sanitize credentials in cluster template answers", "datePublic": "2022-08-19T00:00:00", "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2022-11-28T00:00:00"}, "descriptions": [{"lang": "en", "value": "A Insufficiently Protected Credentials vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners and Project Members to read credentials, passwords and API tokens that have been stored in cleartext and exposed via API endpoints. This issue affects: SUSE Rancher Rancher versions prior to 2.6.4; Rancher versions prior to 2.5.13."}], "affected": [{"vendor": "SUSE", "product": "Rancher", "versions": [{"version": "Rancher", "status": "affected", "lessThan": "2.6.4", "versionType": "custom"}]}, {"vendor": "SUSE", "product": "Rancher", "versions": [{"version": "Rancher", "status": "affected", "lessThan": "2.5.13", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=1193990"}, {"url": "https://github.com/rancher/rancher/security/advisories/GHSA-8w87-58w6-hfv8"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-522: Insufficiently Protected Credentials", "cweId": "CWE-522"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1193990", "defect": ["1193990"], "discovery": "INTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:01:59.781Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=1193990", "tags": ["x_transferred"]}, {"url": "https://github.com/rancher/rancher/security/advisories/GHSA-8w87-58w6-hfv8", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*", "matchCriteriaId": "888F5175-6FF0-4846-93AF-0C8A5EEA8258", "versionEndExcluding": "2.5.13", "versionStartIncluding": "2.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7C8176B-46C4-46C9-9909-5937C13FEB3C", "versionEndExcluding": "2.6.4", "versionStartIncluding": "2.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Insufficiently Protected Credentials vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners and Project Members to read credentials, passwords and API tokens that have been stored in cleartext and exposed via API endpoints. This issue affects: SUSE Rancher Rancher versions prior to 2.6.4; Rancher versions prior to 2.5.13."}, {"lang": "es", "value": "Una vulnerabilidad de credenciales insuficientemente protegidas en SUSE Rancher permite a los propietarios de cl\u00fasteres, miembros de cl\u00fasteres, propietarios de proyectos y miembros de proyectos autenticados leer credenciales, contrase\u00f1as y tokens de API que se han almacenado en texto claro y se han expuesto a trav\u00e9s de puntos finales de API. Este problema afecta a: Las versiones de SUSE Rancher anteriores a la 2.6.4; las versiones de Rancher anteriores a la 2.5.13"}], "id": "CVE-2021-36783", "lastModified": "2023-03-23T17:20:14.077", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "meissner@suse.de", "type": "Secondary"}]}, "published": "2022-09-07T09:15:08.600", "references": [{"source": "meissner@suse.de", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1193990"}, {"source": "meissner@suse.de", "tags": ["Third Party Advisory"], "url": "https://github.com/rancher/rancher/security/advisories/GHSA-8w87-58w6-hfv8"}], "sourceIdentifier": "meissner@suse.de", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "meissner@suse.de", "type": "Secondary"}]}