Skip to content

Improper Access Control in spinnaker

Critical
jasonmcintosh published GHSA-9h7c-rfrp-gvgp Jan 3, 2022

Package

spinnaker (Spinnaker)

Affected versions

<1.25.8, <1.26.7, <1.27.0

Patched versions

1.25.8, 1.26.7, 1.27.0

Description

Impact

Spinnaker has improper permissions allowing pipeline creation & execution due to an incorrect wildcard match for the favorite icon. This lets an arbitrary unauthenticated user with access to the API to create and execute a pipeline. If users haven't setup RBAC with-in spinnaker on all accounts and applications, this enables remote execution and access to deploy resources.

Patches

1.25.8
1.26.7
1.27.0

Workarounds

Enable RBAC on all accounts and applications. Restrict application creation. This mitigates the ability of a pipeline to affect any accounts.

Block application access unless permission are enabled. See:
https://docs.armory.io/armory-enterprise/armory-admin/fiat-create-permissions/
ALL application creation would need to be restricted via appropriate wildcards.

References

None at this time.

For more information

If you have any questions or comments about this advisory:
Please see #sig-security channel in spinnaker slack

Credits

Thanks to Sébastien Kaul (https://www.linkedin.com/in/sebastien-kaul) for the disclosure!

Severity

Critical
10.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CVE ID

CVE-2021-43832

Weaknesses