CVE-2022-45157

A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 5.3

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-45157
https://github.com/rancher/rancher/security/advisories/GHSA-xj7w-r753-vj8v

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Se ha identificado una vulnerabilidad en la forma en que Rancher almacena las credenciales CPI (interfaz de proveedor de nube) y CSI (interfaz de almacenamiento de contenedores) de vSphere que se utilizan para implementar clústeres a través del proveedor de nube de vSphere. Este problema hace que las contraseñas CPI y CSI de vSphere se almacenen en un objeto de texto plano dentro de Rancher. Esta vulnerabilidad solo se aplica a los usuarios que implementan clústeres en entornos de vSphere.

13 Nov 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-13 14:15

Updated : 2026-04-15 00:35

NVD link : CVE-2022-45157

Mitre link : CVE-2022-45157

CVE.ORG link : CVE-2022-45157

JSON object : View

Products Affected

No product.

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2022-45157", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "meissner@suse.de", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.3, "exploitabilityScore": 3.1}], "cvssMetricV40": [{"type": "Secondary", "source": "meissner@suse.de", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-11-13T14:15:14.990", "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-45157", "source": "meissner@suse.de"}, {"url": "https://github.com/rancher/rancher/security/advisories/GHSA-xj7w-r753-vj8v", "source": "meissner@suse.de"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "meissner@suse.de", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en la forma en que Rancher almacena las credenciales CPI (interfaz de proveedor de nube) y CSI (interfaz de almacenamiento de contenedores) de vSphere que se utilizan para implementar cl\u00fasteres a trav\u00e9s del proveedor de nube de vSphere. Este problema hace que las contrase\u00f1as CPI y CSI de vSphere se almacenen en un objeto de texto plano dentro de Rancher. Esta vulnerabilidad solo se aplica a los usuarios que implementan cl\u00fasteres en entornos de vSphere."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "meissner@suse.de"}