CVE-2021-32001
Summary
| CVE | CVE-2021-32001 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-07-28 10:15:00 UTC |
| Updated | 2022-11-14 19:30:00 UTC |
| Description | K3s in SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup, to extract the cluster's confidential keying material (cluster certificate authority private keys, secrets encryption configuration passphrase, etc.) and decrypt it, without having to know the token value. This issue affects: SUSE Rancher K3s version v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1 and prior versions; RKE2 version v1.19.12+rke2r1, v1.20.8+rke2r1, v1.21.2+rke2r1 and prior versions. |
Risk And Classification
Problem Types: NVD-CWE-Other
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Suse | Rancher K3s | 1.19.12 | All | All | All |
| Application | Suse | Rancher K3s | 1.20.8 | All | All | All |
| Application | Suse | Rancher K3s | 1.21.2 | All | All | All |
| Application | Suse | Rancher Rke2 | 1.19.12 | All | All | All |
| Application | Suse | Rancher Rke2 | 1.20.8 | All | All | All |
| Application | Suse | Rancher Rke2 | 1.21.2 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Bug 1188453 – CVE-2021-32001: K3s/RKE2 bootstrap data is encrypted with empty string if user does not supply a token | CONFIRM | bugzilla.suse.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 502106 Alpine Linux Security Update for k3s