CVE-2022-45157

EPSS 0.17%
Published 13.11.2024 14:15:14
Last modified 13.11.2024 17:01:16
Source meissner@suse.de
Teams watchlist Login
Open Login

A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorSUSE

≫

Product rancher

Default Statusunaffected

Version < 2.9.3

Version 2.9.0

Status affected

Version < 2.8.9

Version 2.7.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.17%	0.385

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
meissner@suse.de	8.5	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
meissner@suse.de	9.1	3.1	5.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-45157

https://github.com/rancher/rancher/security/advisories/GHSA-xj7w-r753-vj8v

https://nvd.nist.gov/vuln/detail/CVE-2022-45157

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-45157

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-45157

EUVD