=2.9.0 <2.9.4

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-GOLANG-GITHUBCOMRANCHERRANCHERPKGCATALOGV2HELM-8400303
published21 Nov 2024
disclosed20 Nov 2024
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 20 Nov 2024

CVE-2024-52282 (opens in a new tab) CWE-200 (opens in a new tab)

How to fix?

Upgrade github.com/rancher/rancher/pkg/catalogv2/helm to version 2.8.10, 2.9.4 or higher.

Overview

Affected versions of this package are vulnerable to Information Exposure due to the storage of Helm values directly into the Apps Custom Resource Definition. An attacker can access sensitive information by exploiting GET access to the Apps' CRD or by setting the audit level to 2 or above.

Workaround

Admins who are enable to upgrade to the fixed version are advised to limit the impact by reducing the amount of users who can get or list the Apps’ CRD. Additionally, the same applies to the auditing logs if the Rancher Manager has audit logs enabled and set to level 2 or above.

References

GitHub Commit

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
High
User Interaction (UI)
Partial

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
High
Integrity (SI)
None
Availability (SA)
None