Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2024-52284
CVE-2024-52284:
vulnerability analysis and mitigation
Overview
A high-severity vulnerability (CVE-2024-52284) has been identified in SUSE Rancher's Fleet, a GitOps-at-scale engine for managing Kubernetes clusters. The vulnerability, discovered in August 2025, affects Fleet versions prior to 0.14.0 and allows sensitive Helm chart values to be stored in plain text within BundleDeployment resources. The vulnerability carries a CVSS v3.1 base score of 7.7 and affects multiple versions including Fleet v0.13.0, v0.12.0, and v0.11.0 (GitHub Advisory, Security Online).
Technical details
The vulnerability occurs when Fleet manages Helm charts where sensitive information is passed through BundleDeployment.Spec.Options.Helm.Values. Unlike Helm v3's approach of storing chart state in Kubernetes secrets, Fleet stores these values in plain text within BundleDeployment custom resources. The issue is particularly concerning because BundleDeployment is not configured for Kubernetes encryption at rest by default, leaving sensitive values unencrypted within the cluster datastore. This behavior deviates from Helm v3's security model, which provides built-in protection mechanisms (GitHub Advisory, GBHackers).
Impact
The vulnerability's primary impact is the unauthorized disclosure of sensitive data. Any user with GET or LIST permissions on BundleDeployment resources can retrieve Helm values containing credentials or other secrets. Additionally, since BundleDeployment resources are not encrypted at rest by default, sensitive information remains exposed in the cluster datastore. The severity of exposure depends on the permissions associated with the leaked credentials, potentially affecting confidentiality, integrity, and availability of connected services (GitHub Advisory, Security Online).
Mitigation and workarounds
SUSE has released patched versions (v0.14.0, v0.13.1, v0.12.6, and v0.11.10) that introduce a secure handling mechanism for Helm values. The fix adds capability for each Bundle and BundleDeployment to have a secret to store options, with the Fleet controller now creating Helm values secrets per bundle deployment. For users unable to upgrade immediately, a workaround involves specifying paths to valuesFiles as simple file names (e.g., using 'values.yaml' instead of 'config-chart/values.yaml'). Additionally, organizations should enable Kubernetes encryption at rest and review RBAC policies to restrict access to BundleDeployment resources (GitHub Advisory, GBHackers).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management