Vulnerability Report: GO-2024-2930

CVE-2023-32191, GHSA-6gr4-52w6-vmqx
Affects: github.com/rancher/rke
Published: Jul 01, 2024

When RKE provisions a cluster, it stores the cluster state in a configmap called "full-cluster-state" inside the "kube-system" namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include sensitive data.

For detailed information about this vulnerability, visit https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx.

Affected Packages

Path

Go Versions

Symbols
github.com/rancher/rke/k8s

from v1.4.18 before v1.4.19, from v1.5.9 before v1.5.10
github.com/rancher/rke/cluster

from v1.4.18 before v1.4.19, from v1.5.9 before v1.5.10
34 affected symbols
github.com/rancher/rke/cmd

from v1.4.18 before v1.4.19, from v1.5.9 before v1.5.10
10 affected symbols

Aliases

CVE-2023-32191
GHSA-6gr4-52w6-vmqx

References

https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx
https://github.com/rancher/rke/commit/cf49199481a1891909acb1384eed73a5c987d5bd
https://github.com/rancher/rke/commit/f7485b8dce376db0fc15a7c3ceb3de7029c8d0cf
https://vuln.go.dev/ID/GO-2024-2930.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL