Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveGitHub_MCVE-2021-43832
HistoryJan 04, 2022 - 8:15 p.m.

CVE-2021-43832

2022-01-0420:15:07
CWE-306
GitHub_M
web.nvd.nist.gov
28
spinnaker
cve-2021-43832
multi-cloud
continuous delivery
pipeline creation
rbac
remote execution
resource deployment
access control

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

AI Score

9.6

Confidence

High

EPSS

0.01

Percentile

84.0%

JSON

Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allowing pipeline creation & execution. This lets an arbitrary user with access to the gate endpoint to create a pipeline and execute it without authentication. If users haven’t setup Role-based access control (RBAC) with-in spinnaker, this enables remote execution and access to deploy almost any resources on any account. Patches are available on the latest releases of the supported branches and users are advised to upgrade as soon as possible. Users unable to upgrade should enable RBAC on ALL accounts and applications. This mitigates the ability of a pipeline to affect any accounts. Block application access unless permission are enabled. Users should make sure ALL application creation is restricted via appropriate wildcards.

Affected configurations

Nvd
Vulners
Node
linuxfoundationspinnakerRange<1.25.8
OR
linuxfoundationspinnakerRange1.26.01.26.7
VendorProductVersionCPE
linuxfoundationspinnaker*cpe:2.3:a:linuxfoundation:spinnaker:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "spinnaker",
    "vendor": "spinnaker",
    "versions": [
      {
        "status": "affected",
        "version": ">= 1.26.0, < 1.26.7"
      },
      {
        "status": "affected",
        "version": "< 1.25.8"
      }
    ]
  }
]

Related

cvelist 1
cnvd 1
prion 1
nvd 1
cvelist
cvelist
CVE-2021-43832 Improper Access Control in spinnaker
2022-01-04 19:20:10
cnvd
cnvd
Spinnaker Access Control Error Vulnerability
2022-01-06 00:00:00
prion
prion
Design/Logic Flaw
2022-01-04 20:15:00
nvd
nvd
CVE-2021-43832
2022-01-04 20:15:07

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

AI Score

9.6

Confidence

High

EPSS

0.01

Percentile

84.0%

JSON
Related for CVE-2021-43832
cvelist1cnvd1prion1nvd1