4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-58269

GHSA ID

GHSA-mw39-9qc2-f7mg

EPSS Score

CWE

CWE-532

Published

10/24/2025

Updated

10/24/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-58269

CVE-2024-58269: Rancher exposes sensitive information through audit logs

Impact

Note: The exploitation of this issue requires that the malicious user have access to Rancher’s audit log storage.

A vulnerability has been identified in Rancher Manager, where sensitive information, including secret data, cluster import URLs, and registration tokens, is exposed to any entity with access to Rancher audit logs. This happens in two different ways:

Secret Annotation Leakage: When creating Kubernetes Secrets using the stringData field, the cleartext value is embedded in the kubectl.kubernetes.io/last-applied-configuration annotation. This annotation is included in Rancher audit logs within both the request and response bodies, exposing secret material that should be redacted.
Cluster Registration Token Leakage: During the import or creation of downstream clusters (Custom, Imported, or Harvester), Rancher audit logs record full cluster registration manifests and tokens, including: a. Non-expiring import URLs such as /v3/import/<token>_c-m-xxxx.yaml. b. Full kubectl apply and curl commands containing registration tokens and CA checksums. c. Token values associated with cluster registration resources (clusterRegistrationToken). d. These tokens are valid until explicitly revoked and can be used to re-register nodes, granting unauthorized cluster access.

An attacker or internal user who gains access to these logs could:

Recover plaintext secret values from annotations.
Use cluster registration tokens or import URLs to re-enroll agents or compromise downstream clusters.
Access clusters that rely on these tokens for authentication, enabling lateral movement.

Please consult the associated MITRE ATT&CK - Technique - Log Enumeration for further information about this category of attack.

Patches

This vulnerability is addressed by applying redaction to sensitive information that was leaking.

Patched versions of Rancher include release v2.12.3.

Workarounds

If the deployment can't be upgraded to a fixed version, users are encouraged to create AuditPolicies to redact and filter some of those requests as described in our documentation.

Also consider granting access to Rancher's logs only for trusted users.

References

If you have any questions or comments about this advisory:

Reach out to the SUSE Rancher Security team for security related inquiries.
Open an issue in the Rancher repository.
Verify with our support matrix and product support lifecycle.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-58269

GHSA ID

GHSA-mw39-9qc2-f7mg

EPSS Score

CWE

CWE-532

Published

10/24/2025

Updated

10/24/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/rancher/rancher	go	< 0.0.0-20251013203444-50dc516a19ea	0.0.0-20251013203444-50dc516a19ea

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is caused by insufficient redaction of sensitive data in Rancher's audit logs. The analysis of the provided patches reveals three key areas where the logging mechanism failed:

Incomplete Annotation Redaction: The audit policy for redacting the kubectl.kubernetes.io/last-applied-configuration annotation was not recursive. The DefaultPolicies function in pkg/auth/audit/default.go was updated to use a recursive JSON path ($..), fixing the issue where sensitive values within this annotation were logged if they were nested inside other objects.
Incorrect Secret Redaction: The redactSecret function in pkg/auth/audit/redact.go was mistakenly redacting data from the request body instead of the response body. This meant that any API response containing Kubernetes secret data was logged in cleartext.
Insufficient Import URL Redaction: The redactImportUrl function in pkg/auth/audit/redact.go only checked the request URI for sensitive import URLs. It failed to check other parts of the request, such as the Referer header. An attacker with access to the logs could extract non-expiring cluster registration tokens from these headers.

The identified functions are directly responsible for these failures. During runtime, these functions would be invoked as part of the audit logging pipeline. An attacker triggering the vulnerability would cause these functions to process requests or responses containing sensitive data, which, prior to the patch, would be written to the audit logs without proper redaction. Therefore, these functions are the primary indicators of the vulnerability being triggered.

Vulnerable functions

github.com/rancher/rancher/pkg/auth/audit.DefaultPolicies

pkg/auth/audit/default.go

The `DefaultPolicies` function defines the audit redaction policies. The patch changes the JSON path for the `kubectl.kubernetes.io/last-applied-configuration` annotation from `$` (root) to `$..` (recursive). This implies the original policy was not comprehensive, failing to redact sensitive data when the annotation appeared in nested JSON objects within the audit log, leading to information disclosure.

github.com/rancher/rancher/pkg/auth/audit.redactSecret

pkg/auth/audit/redact.go

The `redactSecret` function was incorrectly attempting to redact sensitive secret data from the request body (`log.RequestBody`) instead of the response body (`log.ResponseBody`). As a result, when secrets were fetched or listed, the response body containing sensitive data was logged without redaction.

github.com/rancher/rancher/pkg/auth/audit.redactImportUrl

pkg/auth/audit/redact.go

The original `redactImportUrl` function only performed a simple prefix check on the request URI to redact cluster import URLs. The patch replaces this with more robust logic that also redacts the URL from the `Referer` header. The initial implementation was insufficient, allowing sensitive cluster registration tokens and import URLs to be logged if they appeared in request headers, leading to potential unauthorized cluster access.

WAF Protection Rules

WAF Rule

### Imp**t **Not*: T** *xploit*tion o* t*is issu* r*quir*s t**t t** m*li*ious us*r **v* ****ss to R*n***r’s *u*it lo* stor***.** * vuln*r**ility **s ***n i**nti*i** in R*n***r M*n***r, w**r* s*nsitiv* in*orm*tion, in*lu*in* s**r*t **t*, *lust*r impo

Reasoning

T** vuln*r**ility is **us** *y insu**i*i*nt r****tion o* s*nsitiv* **t* in R*n***r's *u*it lo*s. T** *n*lysis o* t** provi*** p*t***s r*v**ls t*r** k*y *r**s w**r* t** lo**in* m****nism **il**: *. **In*ompl*t* *nnot*tion R****tion**: T** *u*it poli

4.3

Basic Information

Concerned about an active attack path?

CVE-2024-58269: Rancher exposes sensitive information through audit logs

Impact

Patches

Workarounds

References

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI