CVE-2024-52284: SUSE Fleet Vulnerability Exposes Sensitive Helm Values in Plain Text
Ddos 
The SUSE Rancher Security Team has issued a security advisory warning of a high-severity vulnerability in Fleet, Rancherβs GitOps-at-scale engine. Tracked as CVE-2024-52284 with a CVSS score of 7.7, the flaw exposes sensitive Helm values stored in plain text within Fleetβs BundleDeployment resources, putting credentials and secrets at risk.
Fleet is a GitOps tool designed to manage Kubernetes deployments across single or multiple clusters. As SUSE explains, βFleet is designed to manage multiple clusters. Itβs also lightweight enough that it works great for a single cluster too, but it really shines when you get to a large scaleβ¦ all resources are dynamically turned into Helm charts and Helm is used as the engine to deploy everything in the cluster.β
This focus on scale and automation, however, also makes security issues in Fleet particularly impactful for organizations managing sensitive workloads.
The flaw occurs when Fleet is used to manage Helm charts. According to the advisory, βHelm Values are stored inside BundleDeployment in plain text.β This can lead to two critical issues:
- Unauthorized disclosure of sensitive data: Any user with GET or LIST permissions on BundleDeployment resources could retrieve Helm values containing credentials or other secrets.
- Lack of encryption at rest: BundleDeployment is not configured for Kubernetes encryption at rest by default, causing sensitive values to remain unencrypted within the cluster datastore.
This behavior diverges from Helm v3, which stores chart stateβincluding valuesβin Kubernetes secrets, ensuring built-in protection.
The advisory warns that in affected environments, βcredentials and other sensitive information are exposed both at rest and in responses to API calls.β
The severity of exposure depends on the type and scope of leaked credentials. SUSE notes, βFor the exposure of credentials not related to Rancher, the final impact severity for confidentiality, integrity, and availability is dependent on the permissions that the leaked credentials have on their own services.β
For enterprises using Fleet to manage critical infrastructure, this could mean unauthorized access to cloud services, databases, or other sensitive systems.
SUSE has released patched versions of Fleet that introduce a secure handling mechanism for Helm values. βThis vulnerability is addressed by adding the capability for each Bundle and BundleDeployment to have a secret to store options in.β
The improvements include:
- The git job that runs fleet apply now creates Kubernetes secrets for Helm values.
- The Fleet controller generates BundleDeployments and creates a Helm values secret per deployment in the namespace.
- The Fleet agent retrieves the Helm values from the secret when deploying bundles.
Fixed Versions:
- Fleet v0.14.0
- Fleet v0.13.1
- Fleet v0.12.6
- Fleet v0.11.10
For users unable to immediately upgrade, SUSE recommends limiting exposure by carefully managing Helm value file paths. The advisory explains:
Risky configuration:
Safer configuration:
Related Posts:
- Bitnami Helm Chart Flaw (CVSS 10.0) Exposes Kubernetes Secrets: Publicly Accessible & Exploitable Remotely
- Helm Flaw (CVE-2025-53547): Local Code Execution via Malicious Chart.yaml & Symlinks
- Microsoft denied that 30 million Microsoft account information had been compromised
- CVE-2024-52975 (CVSS 9.0): Fleet Server Update Patches Critical Information Exposure Vulnerability
- CVE-2025-27509 (CVSS 9.3): Fleet Patches Critical SAML Authentication Vulnerability
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
