Lucene search
K

375 matches found

NVD
NVD
added 5 days ago8 views

CVE-2026-44938

A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml or BundleDeployment.spec.options.namespaceLabels when applying them to the target namespace. An attacker with git push access to a Fleet-monitored...

8.8CVSS0.00508EPSS
Exploits0References2
NVD
NVD
added 2026/07/02 5:16 p.m.10 views

CVE-2026-44935

Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one tenant to access fleet credentials of other tenants...

9.9CVSS0.00585EPSS
Exploits0References1
CVE
CVE
added 2026/07/02 4:0 p.m.24 views

CVE-2026-44935

The vulnerability (CVE-2026-44935) affects SUSE Rancher Fleet’s Helm Deployer where missing validation of valuesFrom references enables cross-tenant access to fleet credentials stored in secrets/config maps on downstream clusters. Affected versions include Fleet 0.15.x before 0.15.2, 0.14.x befor...

9.9CVSS5.8AI score0.00585EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/07/02 4:0 p.m.35 views

CVE-2026-44935 Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer

Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one tenant to access fleet credentials of other tenants...

9.9CVSS0.00585EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/02 4:0 p.m.9 views

CVE-2026-44935

Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one tenant to access fleet credentials of other tenants...

9.9CVSS5.8AI score0.00585EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/07/01 8:45 p.m.3 views

GHSA-XR65-5CPM-G36X Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer

Impact A vulnerability in Fleet for Rancher Manager affects multi-tenancy environments where different tenants share the same downstream clusters e.g., different privileged or untrusted teams inside the same organization. On unpatched versions, tenants could bypass restrictions to access any conf...

9.9CVSS5.8AI score0.00585EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/07/01 8:45 p.m.8 views

Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer

Impact A vulnerability in Fleet for Rancher Manager affects multi-tenancy environments where different tenants share the same downstream clusters e.g., different privileged or untrusted teams inside the same organization. On unpatched versions, tenants could bypass restrictions to access any conf...

9.9CVSS5.8AI score0.00585EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/07/01 8:35 p.m.3 views

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the addLabelsFromOptions function. An attacker can overwrite security-sensitive namespace labels by pushing changes to a monitored repository, thereby weakening admission controls and enabling...

8.8CVSS6AI score0.00508EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/07/01 8:35 p.m.12 views

Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent

Impact A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml or BundleDeployment.spec.options.namespaceLabels when applying them to the target namespace. An attacker with git push access to a...

8.8CVSS5.8AI score0.00508EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/26 12:22 a.m.3 views

MAL-2026-6491 Malicious code in hexo-deployer-wrangler (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebc95a6a1ae1e522feabf03446f9791372191e27ca9da454717559b6cc6948eb The package ships a binding.gyp file line 6 containing GYP command-expansion syntax !... inside the targets/sources fields. npm implicitly runs...

6.4AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/17 4:58 a.m.8 views

Malicious code in @mastra/deployer-netlify (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2fc319f7f95075b9eb23f3c1dbde016dd6f4a23add16bf96a3449149d316d571 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...

5.9AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/17 4:58 a.m.7 views

Malicious code in @mastra/deployer-vercel (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 51c995bee89c27de9fc067df60d17baac74e4fec7f1682bc606694bb6f09848c The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...

5.9AI score
Exploits0References2
OSV
OSV
added 2026/06/17 4:55 a.m.14 views

MAL-2026-6015 Malicious code in @mastra/deployer (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware cbd99dea462f2f28099ae0f57cd6c89edd76f08476cd9a6265b1c23defcd2b23 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.4AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/17 4:55 a.m.8 views

Malicious code in @mastra/deployer (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ada3444d44067bbe5085e0892f7885b106c016c114676c2601b15bbb52ce4a4 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...

5.9AI score
Exploits0References2
Veracode
Veracode
added 2026/05/16 5:31 a.m.16 views

Improper Authorization

Fleet is vulnerable to Improper Authorization. The vulnerability is due to incomplete application of ServiceAccount impersonation in certain Helm deployer code paths, which allows an attacker with git push access to read secrets from arbitrary namespaces on downstream clusters...

9.9CVSS6AI score0.00379EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/14 8:21 a.m.15 views

CVE-2026-41050

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo...

9.9CVSS5.9AI score0.00379EPSS
Exploits0References1
NVD
NVD
added 2026/05/13 8:16 a.m.12 views

CVE-2026-41050

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo...

9.9CVSS0.00379EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/13 8:4 a.m.12 views

CVE-2026-41050

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo...

9.9CVSS5.9AI score0.00379EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/05/13 8:4 a.m.42 views

CVE-2026-41050 Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo...

9.9CVSS0.00379EPSS
Exploits0References2
CVE
CVE
added 2026/05/13 8:4 a.m.25 views

CVE-2026-41050

CVE-2026-41050 describes a multi-tenant isolation failure in Fleet’s Helm deployer where ServiceAccount impersonation was not consistently applied in two code paths, causing the Helm template engine to run Kubernetes API queries and read Secret/ConfigMap references with the fleet-agent’s cluster-...

9.9CVSS5.9AI score0.00379EPSS
Exploits0References2
Rows per page
Query Builder