SuseCVELIST:CVE-2021-32001CVE-2021-32001 K3s/RKE2 bootstrap data is encrypted with empty string if user does not supply a token
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
25.8%
K3s in SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup, to extract the cluster’s confidential keying material (cluster certificate authority private keys, secrets encryption configuration passphrase, etc.) and decrypt it, without having to know the token value. This issue affects: SUSE Rancher K3s version v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1 and prior versions; RKE2 version v1.19.12+rke2r1, v1.20.8+rke2r1, v1.21.2+rke2r1 and prior versions.
CNA Affected
[
{
"vendor": "SUSE",
"product": "Rancher",
"versions": [
{
"version": "K3s",
"status": "affected",
"lessThanOrEqual": "v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1",
"versionType": "custom"
}
]
},
{
"vendor": "SUSE",
"product": "Rancher",
"versions": [
{
"version": "RKE2",
"status": "affected",
"lessThanOrEqual": "v1.19.12+rke2r1, v1.20.8+rke2r1, v1.21.2+rke2r1",
"versionType": "custom"
}
]
}
]Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
25.8%