Rancher Fleet Unauthorized Data Disclosure Vulnerability

A vulnerability in Rancher Fleet versions 0.11.0 through 0.13.0, prior to 0.13.1-0.20250806151509-088bcbea7edb, allows for unauthorized disclosure of sensitive data. Users with 'GET' or 'LIST' permissions on 'BundleDeployment' resources can access Helm values stored in plain text, which may include credentials or other secrets. This issue arises because 'BundleDeployment' is not encrypted at rest by default, leaving sensitive information exposed in the cluster datastore. In contrast, Helm v3 typically stores such data in Kubernetes secrets, which are protected by default.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive data, including credentials and secrets, which are exposed both in plain text responses to API calls and unencrypted at rest within the cluster datastore.

Remediation

Users can upgrade to Rancher Fleet versions 0.13.1-0.20250806151509-088bcbea7edb, 0.12.6 or 0.11.10. If an upgrade is not possible, as a temporary measure, specify paths to valuesFiles as simple file names to exclude them from being processed, reducing the risk of exposure.