CVE-2021-32001 — MEDIUM (6.5)

Vulnerability Description

K3s in SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup, to extract the cluster's confidential keying material (cluster certificate authority private keys, secrets encryption configuration passphrase, etc.) and decrypt it, without having to know the token value. This issue affects: SUSE Rancher K3s version v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1 and prior versions; RKE2 version v1.19.12+rke2r1, v1.20.8+rke2r1, v1.21.2+rke2r1 and prior versions.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Suse	Rancher K3S	1.19.12
Suse	Rancher Rke2	1.19.12

Related Weaknesses (CWE)

CWE-311

References

https://bugzilla.suse.com/show_bug.cgi?id=1188453Issue TrackingVendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1188453Issue TrackingVendor Advisory

FAQ

What is CVE-2021-32001?

CVE-2021-32001 is a vulnerability with a CVSS score of 6.5 (MEDIUM). K3s in SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup, to extract the cluster's confidential keying material (cluster certificate authority private k...

How severe is CVE-2021-32001?

CVE-2021-32001 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-32001?

Check the references section above for vendor advisories and patch information. Affected products include: Suse Rancher K3S, Suse Rancher Rke2.