CVE-2024-52284

Name of the Vulnerable Software and Affected Versions SUSE Fleet versions prior to v0.14.0 SUSE Fleet version v0.13.1 SUSE Fleet version v0.12.6 SUSE Fleet version v0.11.10

Description A vulnerability exists in SUSE Fleet when managing Helm charts, where sensitive information passed through BundleDeployment.Spec.Options.Helm.Values may be stored in plain text. This can lead to unauthorized disclosure of sensitive data to users with GET or LIST permissions on BundleDeployment resources, and a lack of encryption at rest for these values. The issue arises because BundleDeployment is not configured for Kubernetes encryption at rest by default. This behavior differs from Helm v3’s default approach, where chart state is stored in Kubernetes secrets. The exposure of credentials can have varying impacts on confidentiality, integrity, and availability, depending on the permissions associated with the leaked credentials.

Recommendations Upgrade to SUSE Fleet version v0.14.0 or later. Upgrade to SUSE Fleet version v0.13.1. Upgrade to SUSE Fleet version v0.12.6. Upgrade to SUSE Fleet version v0.11.10. If upgrading is not possible, specify paths to valuesFiles as simple file names, for example, use values.yaml instead of config-chart/values.yaml.