Vulnerability-Lookup

CVE-2024-52282 (GCVE-0-2024-52282)

Vulnerability from cvelistv5 – Published: 2025-04-11 10:57 – Updated: 2025-04-11 13:24

Title

Rancher Helm Applications may have sensitive values leaked

Summary

A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowing any users with GET access to the Rancher Manager Apps Catalog to read any sensitive information that are contained within the Apps’ values. Additionally, the same information leaks into auditing logs when the audit level is set to equal or above 2. This issue affects rancher: from 2.8.0 before 2.8.10, from 2.9.0 before 2.9.4.

Severity ?

6.2 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

suse

References

URL

Tags

	https://bugzilla.suse.com/show_bug.cgi?id=CVE-202…
	https://github.com/rancher/rancher/security/advis…

Impacted products

	Vendor	Product	Version
	SUSE	rancher	Affected: 2.8.0 , < 2.8.10 (semver) Affected: 2.9.0 , < 2.9.4 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-52282",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-11T13:23:47.197155Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-11T13:24:10.230Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "github.com/rancher/rancher",
          "product": "rancher",
          "vendor": "SUSE",
          "versions": [
            {
              "lessThan": "2.8.10",
              "status": "affected",
              "version": "2.8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.9.4",
              "status": "affected",
              "version": "2.9.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2024-11-20T17:24:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eA Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowing any users with \u003ccode\u003eGET\u003c/code\u003e\n access to the Rancher Manager Apps Catalog to read any sensitive information that are \ncontained within the Apps\u2019 values. Additionally, the same information \nleaks into auditing logs when the audit level is set to equal or above \n2.\u003c/div\u003e\u003cp\u003eThis issue affects rancher: from 2.8.0 before 2.8.10, from 2.9.0 before 2.9.4.\u003c/p\u003e"
            }
          ],
          "value": "A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowing any users with GET\n access to the Rancher Manager Apps Catalog to read any sensitive information that are \ncontained within the Apps\u2019 values. Additionally, the same information \nleaks into auditing logs when the audit level is set to equal or above \n2.\n\nThis issue affects rancher: from 2.8.0 before 2.8.10, from 2.9.0 before 2.9.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-11T10:57:55.420Z",
        "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "shortName": "suse"
      },
      "references": [
        {
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-52282"
        },
        {
          "url": "https://github.com/rancher/rancher/security/advisories/GHSA-9c5p-35gj-jqp4"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Rancher Helm Applications may have sensitive values leaked",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
    "assignerShortName": "suse",
    "cveId": "CVE-2024-52282",
    "datePublished": "2025-04-11T10:57:55.420Z",
    "dateReserved": "2024-11-06T12:19:57.723Z",
    "dateUpdated": "2025-04-11T13:24:10.230Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-52282\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-11T13:23:47.197155Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-11T13:24:02.823Z\"}}], \"cna\": {\"title\": \"Rancher Helm Applications may have sensitive values leaked\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SUSE\", \"product\": \"rancher\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.8.0\", \"lessThan\": \"2.8.10\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"2.9.0\", \"lessThan\": \"2.9.4\", \"versionType\": \"semver\"}], \"packageName\": \"github.com/rancher/rancher\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-11-20T17:24:00.000Z\", \"references\": [{\"url\": \"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-52282\"}, {\"url\": \"https://github.com/rancher/rancher/security/advisories/GHSA-9c5p-35gj-jqp4\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowing any users with GET\\n access to the Rancher Manager Apps Catalog to read any sensitive information that are \\ncontained within the Apps\\u2019 values. Additionally, the same information \\nleaks into auditing logs when the audit level is set to equal or above \\n2.\\n\\nThis issue affects rancher: from 2.8.0 before 2.8.10, from 2.9.0 before 2.9.4.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003eA Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowing any users with \u003ccode\u003eGET\u003c/code\u003e\\n access to the Rancher Manager Apps Catalog to read any sensitive information that are \\ncontained within the Apps\\u2019 values. Additionally, the same information \\nleaks into auditing logs when the audit level is set to equal or above \\n2.\u003c/div\u003e\u003cp\u003eThis issue affects rancher: from 2.8.0 before 2.8.10, from 2.9.0 before 2.9.4.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"404e59f5-483d-4b8a-8e7a-e67604dd8afb\", \"shortName\": \"suse\", \"dateUpdated\": \"2025-04-11T10:57:55.420Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-52282\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-11T13:24:10.230Z\", \"dateReserved\": \"2024-11-06T12:19:57.723Z\", \"assignerOrgId\": \"404e59f5-483d-4b8a-8e7a-e67604dd8afb\", \"datePublished\": \"2025-04-11T10:57:55.420Z\", \"assignerShortName\": \"suse\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-52282

Vulnerability from fkie_nvd - Published: 2025-04-11 11:15 - Updated: 2025-04-11 15:39

Severity ?

6.2 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

Summary

References

	URL	Tags
	meissner@suse.de	https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-52282
	meissner@suse.de	https://github.com/rancher/rancher/security/advisories/GHSA-9c5p-35gj-jqp4

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowing any users with GET\n access to the Rancher Manager Apps Catalog to read any sensitive information that are \ncontained within the Apps\u2019 values. Additionally, the same information \nleaks into auditing logs when the audit level is set to equal or above \n2.\n\nThis issue affects rancher: from 2.8.0 before 2.8.10, from 2.9.0 before 2.9.4."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de exposici\u00f3n de informaci\u00f3n confidencial a un agente no autorizado en SUSE Rancher permite que cualquier usuario con acceso GET al cat\u00e1logo de aplicaciones de Rancher Manager acceda a la informaci\u00f3n confidencial contenida en los valores de las aplicaciones. Adem\u00e1s, esta misma informaci\u00f3n se filtra a los registros de auditor\u00eda cuando el nivel de auditor\u00eda es igual o superior a 2. Este problema afecta a Rancher: de la versi\u00f3n 2.8.0 a la 2.8.10, y de la versi\u00f3n 2.9.0 a la 2.9.4."
    }
  ],
  "id": "CVE-2024-52282",
  "lastModified": "2025-04-11T15:39:52.920",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.2,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 4.0,
        "source": "meissner@suse.de",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-04-11T11:15:41.630",
  "references": [
    {
      "source": "meissner@suse.de",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-52282"
    },
    {
      "source": "meissner@suse.de",
      "url": "https://github.com/rancher/rancher/security/advisories/GHSA-9c5p-35gj-jqp4"
    }
  ],
  "sourceIdentifier": "meissner@suse.de",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "meissner@suse.de",
      "type": "Secondary"
    }
  ]
}

GHSA-9C5P-35GJ-JQP4

Vulnerability from github – Published: 2024-11-20 18:24 – Updated: 2025-04-11 23:13

Summary

Rancher Helm Applications may have sensitive values leaked

Details

Impact

A vulnerability has been identified within Rancher Manager whereby applications installed via Rancher Manager Apps Catalog store their Helm values directly into the Apps Custom Resource Definition, resulting in any users with GET access to it to be able to read any sensitive information that are contained within the Apps’ values. Additionally, the same information leaks into auditing logs when the audit level is set to equal or above 2.

Application charts without sensitive data are not affected by this vulnerability. This vulnerability impacts any Helm applications installed on a Rancher Manager cluster, regardless of it being installed via the Marketplace or using the helm cli.

Please consult the associated MITRE ATT&CK - Technique - Exploitation for Privilege Escalation for further information about this category of attack.

Patches

Patched versions include Rancher Manager 2.9.5 and 2.8.10. The fix ensures that all Helm values for each App are stored as Kubernetes Secrets. After the upgrade, users are recommended to rotate passwords and secrets that may have been leaked while using the affected versions.

Workarounds

No workarounds are available, therefore users are advised to upgrade to a patched version of Rancher Manager. For deployments that can’t be upgraded in a timely fashion, admins are advised to limit the impact by reducing the amount of users who can get or list the Apps’ CRD. Additionally, the same applies to the auditing logs if the Rancher Manager has audit logs enabled and set to level 2 or above.

For more information

If you have any questions or comments about this advisory: - Reach out to the SUSE Rancher Security team for security related inquiries. - Open an issue in the Rancher repository. - Verify with our support matrix and product support lifecycle.

Severity ?

6.2 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0"
            },
            {
              "fixed": "2.8.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0"
            },
            {
              "fixed": "2.9.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-20T18:24:53Z",
    "nvd_published_at": "2025-04-11T11:15:41Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nA vulnerability has been identified within Rancher Manager whereby applications installed via Rancher Manager Apps Catalog store their Helm values directly into the `Apps` Custom Resource Definition, resulting in any users with `GET` access to it to be able to read any sensitive information that are contained within the Apps\u2019 values. Additionally, the same information leaks into auditing logs when the audit level is set to equal or above 2.\n\nApplication charts without sensitive data are not affected by this vulnerability.\nThis vulnerability impacts any Helm applications installed on a Rancher Manager cluster, regardless of it being installed via the Marketplace or using the helm cli.\n\nPlease consult the associated [MITRE ATT\u0026CK - Technique - Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068/) for further information about this category of attack.\n\n### Patches\nPatched versions include Rancher Manager `2.9.5` and `2.8.10`. The fix ensures that all Helm values for each App are stored as Kubernetes Secrets. After the upgrade, users are recommended to rotate passwords and secrets that may have been leaked while using the affected versions.\n\n### Workarounds\nNo workarounds are available, therefore users are advised to upgrade to a patched version of Rancher Manager.\nFor deployments that can\u2019t be upgraded in a timely fashion, admins are advised to limit the impact by reducing the amount of users who can get or list the Apps\u2019 CRD. Additionally, the same applies to the auditing logs if the Rancher Manager has audit logs enabled and set to level 2 or above.\n\n### For more information\nIf you have any questions or comments about this advisory:\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).",
  "id": "GHSA-9c5p-35gj-jqp4",
  "modified": "2025-04-11T23:13:19Z",
  "published": "2024-11-20T18:24:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rancher/security/advisories/GHSA-9c5p-35gj-jqp4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52282"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-52282"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rancher/rancher"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3280"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rancher Helm Applications may have sensitive values leaked"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-52282 (GCVE-0-2024-52282)

FKIE_CVE-2024-52282

GHSA-9C5P-35GJ-JQP4

Impact

Patches

Workarounds

For more information

Tags

Sightings

Nomenclature