CVE-2020-9301
First published: Fri Dec 11 2020(Updated: )
Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior to version 1.23.4, 1.22.4 or 1.21.5. The vulnerability exists within the handling of SpEL expressions that allows an attacker to read and write arbitrary files within the orca container via authenticated HTTP POST requests.
Credit: security-report@netflix.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linuxfoundation Spinnaker | <1.21.5 | |
| Linuxfoundation Spinnaker | >=1.22.0<1.22.4 | |
| Linuxfoundation Spinnaker | >=1.23.0<1.23.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Spinnaker security vulnerability?
The vulnerability ID for this Spinnaker security vulnerability is CVE-2020-9301.
What is the severity of CVE-2020-9301?
The severity of CVE-2020-9301 is high with a CVSS score of 8.8.
Which versions of Spinnaker are affected by CVE-2020-9301?
All versions of Spinnaker prior to version 1.23.4, 1.22.4 or 1.21.5 are affected by CVE-2020-9301.
How can an attacker exploit CVE-2020-9301?
An attacker can exploit CVE-2020-9301 by manipulating SpEL expressions to read and write arbitrary files within the orca container.
How can I fix CVE-2020-9301?
To fix CVE-2020-9301, update Spinnaker to version 1.23.4, 1.22.4, or 1.21.5.
- collector/nvd-index
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/description
- agent/type
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- agent/tags
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- vendor/linuxfoundation
- canonical/linuxfoundation spinnaker
- version/linuxfoundation spinnaker/1.22.0
- version/linuxfoundation spinnaker/1.23.0