Vulnerability Description
Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allowing pipeline creation & execution. This lets an arbitrary user with access to the gate endpoint to create a pipeline and execute it without authentication. If users haven't setup Role-based access control (RBAC) with-in spinnaker, this enables remote execution and access to deploy almost any resources on any account. Patches are available on the latest releases of the supported branches and users are advised to upgrade as soon as possible. Users unable to upgrade should enable RBAC on ALL accounts and applications. This mitigates the ability of a pipeline to affect any accounts. Block application access unless permission are enabled. Users should make sure ALL application creation is restricted via appropriate wildcards.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Spinnaker | < 1.25.8 |
Related Weaknesses (CWE)
References
- https://github.com/spinnaker/spinnaker/security/advisories/GHSA-9h7c-rfrp-gvgpThird Party Advisory
- https://github.com/spinnaker/spinnaker/security/advisories/GHSA-9h7c-rfrp-gvgpThird Party Advisory
FAQ
What is CVE-2021-43832?
CVE-2021-43832 is a vulnerability with a CVSS score of 10.0 (CRITICAL). Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allowing pipeline creation & execution. This lets an arbitrary user with access to the gate en...
How severe is CVE-2021-43832?
CVE-2021-43832 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-43832?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Spinnaker.