Vulnerability Details : CVE-2022-21951
Potential exploit
A Cleartext Transmission of Sensitive Information vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI value overridden This issue affects: SUSE Rancher Rancher versions prior to 2.5.14; Rancher versions prior to 2.6.5.
Products affected by CVE-2022-21951
- cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*
- cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-21951
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-21951
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.6
|
LOW | AV:N/AC:H/Au:S/C:P/I:P/A:N |
3.9
|
4.9
|
NIST | |
6.8
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
1.6
|
5.2
|
SUSE | |
6.8
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
1.6
|
5.2
|
NIST |
CWE ids for CVE-2022-21951
-
The product does not encrypt sensitive or critical information before storage or transmission.Assigned by: meissner@suse.de (Secondary)
-
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Assigned by:
- meissner@suse.de (Primary)
- nvd@nist.gov (Secondary)
References for CVE-2022-21951
-
https://bugzilla.suse.com/show_bug.cgi?id=1199443
Bug 1199443 – VUL-0: CVE-2022-21951: Rancher: Weave CNI password is not set if RKE template is used with CNI value overriddenIssue Tracking;Third Party Advisory
-
https://github.com/rancher/rancher/security/advisories/GHSA-vrph-m5jj-c46c
Weave CNI password is not configured when a cluster is created from an RKE template · Advisory · rancher/rancher · GitHubExploit;Third Party Advisory
Jump to