High severity7.7GHSA Advisory· Published Sep 2, 2025· Updated Apr 15, 2026
CVE-2024-52284
CVE-2024-52284
Description
Unauthorized disclosure of sensitive data: Any user with GET or LIST permissions on BundleDeployment resources could retrieve Helm values containing credentials or other secrets.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/rancher/fleetGo | >= 0.13.0, < 0.13.1-0.20250806151509-088bcbea7edb | 0.13.1-0.20250806151509-088bcbea7edb |
github.com/rancher/fleetGo | >= 0.12.0, < 0.12.6 | 0.12.6 |
github.com/rancher/fleetGo | >= 0.11.0, < 0.11.10 | 0.11.10 |
Affected products
1Patches
1088bcbea7edbHarden values files exclusion from bundle resources
10 files changed · +81 −0
integrationtests/cli/apply/apply_test.go+32 −0 modified@@ -236,6 +236,38 @@ var _ = Describe("Fleet apply", Ordered, func() { }) }) }) + + When("a fleet.yaml located beside a local chart dir references a values file prefixed by its directory", func() { + BeforeEach(func() { + name = "helm-values-ignore" + dirs = []string{cli.AssetsPath + name} + }) + + It("creates a bundle without the values file", func() { + bundle, err := cli.GetBundleFromOutput(buf) + Expect(err).NotTo(HaveOccurred()) + Expect(bundle.Spec.Resources).To(HaveLen(2)) + + Expect(cli.AssetsPath + "helm-values-ignore/config-chart/templates/configmap.yaml").To(bePresentInBundleResources(bundle.Spec.Resources)) + Expect(cli.AssetsPath + "helm-values-ignore/config-chart/Chart.yaml").To(bePresentInBundleResources(bundle.Spec.Resources)) + }) + }) + + When("a fleet.yaml located within a local chart dir references a values file prefixed by its directory", func() { + BeforeEach(func() { + name = "helm-in-chart-fleetyaml-values-ignore" + dirs = []string{cli.AssetsPath + name} + }) + + It("creates a bundle without the values file", func() { + bundle, err := cli.GetBundleFromOutput(buf) + Expect(err).NotTo(HaveOccurred()) + Expect(bundle.Spec.Resources).To(HaveLen(2)) + + Expect(cli.AssetsPath + "helm-in-chart-fleetyaml-values-ignore/config-chart/templates/configmap.yaml").To(bePresentInBundleResources(bundle.Spec.Resources)) + Expect(cli.AssetsPath + "helm-in-chart-fleetyaml-values-ignore/config-chart/Chart.yaml").To(bePresentInBundleResources(bundle.Spec.Resources)) + }) + }) }) var _ = Describe("Fleet apply driven", Ordered, func() {
integrationtests/cli/assets/helm-in-chart-fleetyaml-values-ignore/config-chart/Chart.yaml+6 −0 added@@ -0,0 +1,6 @@ +apiVersion: v2 +name: config-chart +description: A test chart that verifies its config +type: application +version: 0.1.0 +appVersion: "1.16.0"
integrationtests/cli/assets/helm-in-chart-fleetyaml-values-ignore/config-chart/fleet.yaml+3 −0 added@@ -0,0 +1,3 @@ +helm: + valuesFiles: + - config-chart/values.yaml # resolves to `values.yaml` inside the same directory, but looks like an out-of-tree file
integrationtests/cli/assets/helm-in-chart-fleetyaml-values-ignore/config-chart/templates/configmap.yaml+7 −0 added@@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: app-config +data: + test: "value" + name: {{ .Values.name }}
integrationtests/cli/assets/helm-in-chart-fleetyaml-values-ignore/config-chart/values.yaml+1 −0 added@@ -0,0 +1 @@ +name: global.fleet.clusterLabels.management.cattle.io/cluster-display-name
integrationtests/cli/assets/helm-values-ignore/config-chart/Chart.yaml+6 −0 added@@ -0,0 +1,6 @@ +apiVersion: v2 +name: config-chart +description: A test chart that verifies its config +type: application +version: 0.1.0 +appVersion: "1.16.0"
integrationtests/cli/assets/helm-values-ignore/config-chart/templates/configmap.yaml+7 −0 added@@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: app-config +data: + test: "value" + name: {{ .Values.name }}
integrationtests/cli/assets/helm-values-ignore/config-chart/values.yaml+1 −0 added@@ -0,0 +1 @@ +name: global.fleet.clusterLabels.management.cattle.io/cluster-display-name
integrationtests/cli/assets/helm-values-ignore/fleet.yaml+4 −0 added@@ -0,0 +1,4 @@ +helm: + chart: config-chart + valuesFiles: + - config-chart/values.yaml
internal/bundlereader/resources.go+14 −0 modified@@ -98,15 +98,29 @@ type loadOpts struct { // * spec.Targets[].Helm.ValuesFiles func ignoreApplyConfigs(spec *fleet.HelmOptions, targets ...fleet.BundleTarget) []string { ignore := []string{"fleet.yaml"} + + // Values files may be referenced from `fleet.yaml` files either with their file name + // alone, or with a directory prefix, for instance for a chart directory. + // Values files must be ignored in both cases, and determining which of the filename or full path will be needed + // depends on where the `fleet.yaml` file lives relatively to the values file(s) which it references. if spec != nil { ignore = append(ignore, spec.ValuesFiles...) + + for _, vf := range spec.ValuesFiles { + ignore = append(ignore, filepath.Base(vf)) + } } for _, target := range targets { if target.Helm == nil { continue } + ignore = append(ignore, target.Helm.ValuesFiles...) + + for _, vf := range target.Helm.ValuesFiles { + ignore = append(ignore, filepath.Base(vf)) + } } return ignore
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.