When RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin.
During cluster provisioning by RKE, the tool saves the complete cluster state in a configmap named `full-cluster-state` in the `kube-system` namespace. This configmap contains sensitive configuration information which — according to CWE-922 — is stored in an unsecured location. An unprivileged cluster user with read access to this resource can extract the contained data and use it to escalate their permissions to administrator level.
An attacker with a standard account in the cluster can perform privilege escalation to the administrator role, gaining full control over the Kubernetes cluster, including access to all data and the ability to modify cluster resources.
Security patches available from the vendor should be applied according to references — details in the SUSE Bugzilla message and official security advisory in the rancher/rke repository on GitHub (GHSA-6gr4-52w6-vmqx).
Kubernetes clusters provisioned using the RKE (Rancher Kubernetes Engine) tool; detailed information on affected versions is available in vendor references.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H