GHSA-wm2r-rp98-8pmh: 
vulnerability analysis and mitigation

A security vulnerability (GHSA-wm2r-rp98-8pmh) was discovered affecting Rancher/Fleet implementations, specifically impacting versions 2.5.0 through 2.5.12 and 2.6.0 through 2.6.3. The vulnerability involves the exposure of SSH credentials when using Fleet for continuous delivery with authenticated Git and/or Helm repositories. This issue was published on April 15, 2022, and was assigned a low severity rating (GitHub Advisory).

The vulnerability stems from a flaw in the go-getter library (versions prior to v1.5.11) used by Rancher through Fleet in versions prior to v0.3.9. The issue manifests when Fleet fails to download a git repo due to a misconfigured URL, resulting in the exposure of SSH private keys in base64 format due to improper redaction of sensitive information from error messages. The vulnerability is classified as CWE-200 (Information Exposure) (GitHub Advisory).

When Git and/or Helm authentication is configured in Fleet and Fleet is used to deploy a git repo through Continuous Delivery, the vulnerability can lead to the exposure of configured SSH private key secrets. The exposed credentials appear in both the Rancher UI and Fleet's deployment pod logs as base64-encoded query parameters alongside the git URL (GitHub Advisory).

The vulnerability has been patched in Rancher versions 2.5.13, 2.6.4, and later releases. Until upgrading is possible, users should limit Rancher access to trusted users and carefully validate URLs. If SSH keys may have been exposed, it is strongly recommended to rotate them. There are no direct mitigations available besides upgrading to the patched versions (GitHub Advisory).

The vulnerability was discovered and reported by Dagan Henderson from Raft Engineering. SUSE Rancher Security team has been actively involved in addressing inquiries related to this security issue (GitHub Advisory).