CVE-2024-58269 is a medium-severity security vulnerability in github.com/rancher/rancher (go), affecting versions < 0.0.0-20251013203444-50dc516a19ea. It is fixed in 0.0.0-20251013203444-50dc516a19ea.
Impact Note: The exploitation of this issue requires that the malicious user have access to Rancher’s audit log storage. A vulnerability has been identified in Rancher Manager, where sensitive information, including secret data, cluster import URLs, and registration tokens, is exposed to any entity with access to Rancher audit logs. This happens in two different ways: Secret Annotation Leakage: When creating Kubernetes Secrets using the stringData field, the cleartext value is embedded in the kubectl.kubernetes.io/last-applied-configuration annotation. This annotation is included in Rancher audit logs within both the request and response bodies, exposing secret material that should be redacted. Cluster Registration Token Leakage: During the import or creation of downstream clusters (Custom, Imported, or Harvester), Rancher audit logs record full cluster registration manifests and tokens, including: a. Non-expiring import URLs such as /v3/import/<token>_c-m-xxxx.yaml. b. Full kubectl apply and curl commands containing registration tokens and CA checksums. c. Token values associated with cluster registration resources (clusterRegistrationToken). d. These tokens are valid until explicitly revoked and can be used to re-register nodes, granting unauthorized cluster access. An attacker or internal user who gains access to these logs could: Recover plaintext secret values from annotations. Use cluster registration tokens or import URLs to re-enroll agents or compromise downstream clusters. Access clusters that rely on these tokens for authentication, enabling lateral movement. Please consult the associated MITRE ATT&CK - Technique - Log Enumeration for further information about this category of attack. Patches This vulnerability is addressed by applying redaction to sensitive information that was leaking. Patched versions of Rancher include release v2.12.3. Workarounds If the deployment can't be upgraded to a fixed version, users are encouraged to create AuditPolicies to redact and filter some of those requests as described in our documentation. The following AuditPolicy can be applied to redact the secrets: Also consider granting access to Rancher's logs only for trusted users. References If you have any questions or comments about this advisory: Reach out to the SUSE Rancher Security team for security related inquiries. Open an issue in the Rancher repository. Verify with our support matrix and product support lifecycle.
CVE-2024-58269 has a CVSS score of 4.3 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (0.0.0-20251013203444-50dc516a19ea). Upgrading removes the vulnerable code path.
go
github.com/rancher/rancher (< 0.0.0-20251013203444-50dc516a19ea)github.com/rancher/rancher → 0.0.0-20251013203444-50dc516a19ea (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2024-58269 is reachable in your applications. Explore open-source security for your team.
See if CVE-2024-58269 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2024-58269 in your environment →Upgrade github.com/rancher/rancher to 0.0.0-20251013203444-50dc516a19ea or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2024-58269 is a medium-severity security vulnerability in github.com/rancher/rancher (go), affecting versions < 0.0.0-20251013203444-50dc516a19ea. It is fixed in 0.0.0-20251013203444-50dc516a19ea.
CVE-2024-58269 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
github.com/rancher/rancher (go) versions < 0.0.0-20251013203444-50dc516a19ea is affected.
Yes. CVE-2024-58269 is fixed in 0.0.0-20251013203444-50dc516a19ea. Upgrade to this version or later.
Whether CVE-2024-58269 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade github.com/rancher/rancher to 0.0.0-20251013203444-50dc516a19ea or later.