Rancher Manager Sensitive Data Exposure Vulnerability

A vulnerability in Rancher Manager versions 2.9.0 through 2.12.0, excluding 2.12.3, allows for the exposure of sensitive information such as secret data, cluster import URLs, and registration tokens. This leakage occurs through audit logs, which can be accessed by any entity with permission to view these logs. The vulnerability arises from 'kubectl' annotations that inadvertently include plaintext secret values and sensitive cluster registration information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive Kubernetes secrets and cluster registration tokens, allowing for the re-enrollment of agents or compromise of downstream clusters.

Remediation

Users can upgrade to Rancher version 2.12.3 or later, where this vulnerability has been patched. If an immediate upgrade is not possible, consider creating 'AuditPolicies' to redact and filter sensitive information from the audit logs, and restrict access to Rancher's logs to trusted users.