CVE-2021-43832: Improper Access Control in spinnaker
First published: Tue Jan 04 2022(Updated: )
Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allowing pipeline creation & execution. This lets an arbitrary user with access to the gate endpoint to create a pipeline and execute it without authentication. If users haven't setup Role-based access control (RBAC) with-in spinnaker, this enables remote execution and access to deploy almost any resources on any account. Patches are available on the latest releases of the supported branches and users are advised to upgrade as soon as possible. Users unable to upgrade should enable RBAC on ALL accounts and applications. This mitigates the ability of a pipeline to affect any accounts. Block application access unless permission are enabled. Users should make sure ALL application creation is restricted via appropriate wildcards.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linuxfoundation Spinnaker | <1.25.8 | |
| Linuxfoundation Spinnaker | >=1.26.0<1.26.7 | |
| <1.25.8 | ||
| >=1.26.0<1.26.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-43832?
CVE-2021-43832 is a vulnerability in Spinnaker, an open source multi-cloud continuous delivery platform, that allows arbitrary users to create and execute pipelines without authentication.
How severe is CVE-2021-43832?
CVE-2021-43832 has a severity rating of 9.8 out of 10, which indicates a critical vulnerability.
What software versions are affected by CVE-2021-43832?
CVE-2021-43832 affects Spinnaker versions up to and including 1.25.8, as well as versions from 1.26.0 to 1.26.7.
How can I fix CVE-2021-43832?
To fix CVE-2021-43832, users should update their Spinnaker installation to a version that is not affected by the vulnerability.
Where can I find more information about CVE-2021-43832?
More information about CVE-2021-43832 can be found at the following reference: [GitHub Advisory](https://github.com/spinnaker/spinnaker/security/advisories/GHSA-9h7c-rfrp-gvgp)
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/references
- agent/title
- agent/first-publish-date
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/author
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/linuxfoundation
- canonical/linuxfoundation spinnaker
- version/linuxfoundation spinnaker/1.26.0