Impact
Spinnaker has improper permissions allowing pipeline creation & execution due to an incorrect wildcard match for the favorite icon. This lets an arbitrary unauthenticated user with access to the API to create and execute a pipeline. If users haven't setup RBAC with-in spinnaker on all accounts and applications, this enables remote execution and access to deploy resources.
Patches
1.25.8
1.26.7
1.27.0
Workarounds
Enable RBAC on all accounts and applications. Restrict application creation. This mitigates the ability of a pipeline to affect any accounts.
Block application access unless permission are enabled. See:
https://docs.armory.io/armory-enterprise/armory-admin/fiat-create-permissions/
ALL application creation would need to be restricted via appropriate wildcards.
References
None at this time.
For more information
If you have any questions or comments about this advisory:
Please see #sig-security channel in spinnaker slack
Credits
Thanks to Sébastien Kaul (https://www.linkedin.com/in/sebastien-kaul) for the disclosure!
Impact
Spinnaker has improper permissions allowing pipeline creation & execution due to an incorrect wildcard match for the favorite icon. This lets an arbitrary unauthenticated user with access to the API to create and execute a pipeline. If users haven't setup RBAC with-in spinnaker on all accounts and applications, this enables remote execution and access to deploy resources.
Patches
1.25.8
1.26.7
1.27.0
Workarounds
Enable RBAC on all accounts and applications. Restrict application creation. This mitigates the ability of a pipeline to affect any accounts.
Block application access unless permission are enabled. See:
https://docs.armory.io/armory-enterprise/armory-admin/fiat-create-permissions/
ALL application creation would need to be restricted via appropriate wildcards.
References
None at this time.
For more information
If you have any questions or comments about this advisory:
Please see #sig-security channel in spinnaker slack
Credits
Thanks to Sébastien Kaul (https://www.linkedin.com/in/sebastien-kaul) for the disclosure!