CVE-2024-58269: 
Análise e mitigação de vulnerabilidades

A vulnerability (CVE-2024-58269) has been identified in Rancher Manager where sensitive information, including secret data, cluster import URLs, and registration tokens, is exposed to entities with access to Rancher audit logs. The vulnerability was discovered and disclosed on October 24, 2025, affecting Rancher versions 2.9.0 through 2.12.2. This vulnerability has been assigned a CVSS score of 4.3 (Medium) (GitHub Advisory).

The vulnerability manifests in two ways: 1) Secret Annotation Leakage - When creating Kubernetes Secrets using the stringData field, cleartext values are embedded in the kubectl.kubernetes.io/last-applied-configuration annotation, which appears in audit logs' request and response bodies. 2) Cluster Registration Token Leakage - During cluster import/creation, audit logs record full registration manifests and tokens, including non-expiring import URLs, kubectl apply commands with tokens, and cluster registration resource tokens (Miggo).

An attacker with access to Rancher's audit logs could recover plaintext secret values from annotations, use cluster registration tokens or import URLs to re-enroll agents or compromise downstream clusters, and access clusters that rely on these tokens for authentication, enabling lateral movement (GitHub Advisory).

The vulnerability has been patched in Rancher version 2.12.3 by applying redaction to sensitive information. For deployments that cannot be upgraded to the fixed version, users are advised to create AuditPolicies to redact and filter sensitive requests. Additionally, it is recommended to grant access to Rancher's logs only to trusted users (GitHub Advisory).