CVE-2024-52282

Name of the Vulnerable Software and Affected Versions Rancher Manager versions prior to 2.8.10 Rancher Manager versions prior to 2.9.5

Description A vulnerability has been identified in Rancher Manager where applications installed via the Apps Catalog store their Helm values directly into the Apps Custom Resource Definition. This allows any users with GET access to read sensitive information contained within the Apps’ values. The same information also leaks into auditing logs when the audit level is set to equal or above 2. This issue impacts any Helm applications installed on a Rancher Manager cluster.

Recommendations For versions prior to 2.8.10, upgrade to version 2.8.10 or later. For versions prior to 2.9.5, upgrade to version 2.9.5 or later. After upgrading, rotate passwords and secrets that may have been leaked while using the affected versions. For deployments that cannot be upgraded in a timely fashion, limit the impact by reducing the amount of users who can get or list the Apps’ CRD and restrict access to auditing logs if the Rancher Manager has audit logs enabled and set to level 2 or above.