Impact
A missing validation check in the Helm Deployer of Rancher Fleet allows an attacker who can create or modify Helm releases to reference a secret in another tenant’s namespace via a valuesFrom reference. The vulnerability permits the attacker to read fleet credentials that belong to other tenants, exposing sensitive information that could be used for further compromise. The primary impact is the confidentiality breach of secrets such as API keys, passwords, or tokens, potentially enabling lateral movement within the Rancher environment.
Affected Systems
SUSE Rancher Fleet versions 0.15 prior to 0.15.2, 0.14 prior to 0.14.6, 0.13 prior to 0.13.11, and 0.12 prior to 0.12.15 are affected.
Risk and Exploitability
The CVSS score of 9.9 indicates a critical severity. While the EPSS score is < 1%, the lack of a KEV listing does not diminish the urgency of remediation. Based on the description, the likely attack vector is within the same cluster, where a tenant with deployment privileges can craft a Helm manifest that includes an unvalidated valuesFrom reference to another tenant’s secret. Successful exploitation would result in the disclosure of realm‑wide credentials.
OpenCVE Enrichment
Github GHSA