Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
K3s/RKE2 bootstrap data is encrypted with empty string if user does not supply a token
Vulnerability Description
K3s in SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup, to extract the cluster's confidential keying material (cluster certificate authority private keys, secrets encryption configuration passphrase, etc.) and decrypt it, without having to know the token value. This issue affects: SUSE Rancher K3s version v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1 and prior versions; RKE2 version v1.19.12+rke2r1, v1.20.8+rke2r1, v1.21.2+rke2r1 and prior versions.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
敏感数据加密缺失
Vulnerability Title
SUSE Rancher K3s 安全漏洞
Vulnerability Description
SUSE Rancher K3s是德国SUSE公司的个 CNCF 沙箱项目,提供轻量级但功能强大的认证 Kubernetes 发行版。 SUSE Rancher K3s存在安全漏洞,该漏洞允许任何用户直接访问数据存储,或数据存储备份的副本,以提取集群的机密密钥材料(集群证书颁发机构私钥、秘密加密配置密码短语等)并解密,不需要知道令牌的值。
CVSS Information
N/A
Vulnerability Type
N/A