CVE-2021-32001

K3s/RKE2 bootstrap data is encrypted with empty string if user does not supply a token

Description

K3s in SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup, to extract the cluster's confidential keying material (cluster certificate authority private keys, secrets encryption configuration passphrase, etc.) and decrypt it, without having to know the token value. This issue affects: SUSE Rancher K3s version v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1 and prior versions; RKE2 version v1.19.12+rke2r1, v1.20.8+rke2r1, v1.21.2+rke2r1 and prior versions.

References

Link	Tags
https://bugzilla.suse.com/show_bug.cgi?id=1188453	vendor advisory issue tracking

Frequently Asked Questions

What is the severity of CVE-2021-32001?: CVE-2021-32001 has been scored as a medium severity vulnerability.
How to fix CVE-2021-32001?: To fix CVE-2021-32001, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-32001 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2021-32001 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-32001?: CVE-2021-32001 affects SUSE Rancher, SUSE Rancher.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-311 – Missing Encryption of Sensitive Data

References

Frequently Asked Questions