CVE-2024-52284
BaseFortify
Publication date: 2025-09-02
Last updated on: 2025-09-02
Assigner: SUSE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rancher | fleet | 0.12.6 |
| rancher | fleet | 0.13.1-0.20250806151509-088bcbea7edb |
| rancher | fleet | 0.11.0 |
| rancher | fleet | 0.11.10 |
| rancher | fleet | 0.13.0 |
| rancher | fleet | 0.12.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-52284 is a high-severity vulnerability in Rancher Fleet where Helm values containing credentials or other secrets are stored in plain text within the BundleDeployment resource. Any user with GET or LIST permissions on these resources can access sensitive data because Fleet does not encrypt these values by default. This leads to unauthorized disclosure of sensitive information, increasing the risk of credential theft and misuse. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive data such as credentials or secrets. If an attacker or unauthorized user has GET or LIST permissions on BundleDeployment resources, they can retrieve these secrets in plain text. This can result in credential theft and misuse, potentially compromising the confidentiality of your systems and data. The impact depends on the permissions associated with the leaked credentials. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of Helm values stored in plain text within the BundleDeployment resources. You can use Kubernetes commands to list and get BundleDeployment resources and inspect the Spec.Options.Helm.Values field for sensitive data exposure. For example, use: `kubectl get bundledeployments -o yaml` or `kubectl get bundledeployment <name> -o yaml` and review the Helm values stored in the output. Look specifically for credentials or secrets in the Helm values fields. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Rancher Fleet to a patched version (0.11.10, 0.12.6, 0.13.1-0.20250806151509-088bcbea7edb, or later) where Helm values are stored securely in Kubernetes secrets instead of plain text. If upgrading immediately is not possible, use the workaround of specifying `valuesFiles` as simple file names (e.g., `values.yaml`) rather than paths to reduce exposure risk. Additionally, review any exposed sensitive data and rotate secrets, tokens, and passwords as necessary to prevent misuse. [1]