Name of the Vulnerable Software and Affected Versions:

SUSE Fleet versions prior to v0.14.0

SUSE Fleet version v0.13.1

SUSE Fleet version v0.12.6

SUSE Fleet version v0.11.10

Description:

A vulnerability exists in SUSE Fleet when managing Helm charts, where sensitive information passed through `BundleDeployment.Spec.Options.Helm.Values` may be stored in plain text. This can lead to unauthorized disclosure of sensitive data to users with `GET` or `LIST` permissions on `BundleDeployment` resources, and a lack of encryption at rest for these values. The issue arises because `BundleDeployment` is not configured for Kubernetes encryption at rest by default. This behavior differs from Helm v3’s default approach, where chart state is stored in Kubernetes secrets. The exposure of credentials can have varying impacts on confidentiality, integrity, and availability, depending on the permissions associated with the leaked credentials.

Recommendations:

Upgrade to SUSE Fleet version v0.14.0 or later.

Upgrade to SUSE Fleet version v0.13.1.

Upgrade to SUSE Fleet version v0.12.6.

Upgrade to SUSE Fleet version v0.11.10.

If upgrading is not possible, specify paths to valuesFiles as simple file names, for example, use `values.yaml` instead of `config-chart/values.yaml`.