PT-2026-51444 · Maven · Io.Spinnaker.Orca:Orca-Core+1
Publicado
2026-06-22
·
Atualizado
2026-06-22
·
CVE-2026-44795
CVSS v3.1
8.5
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N |
Impact
There's an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing:
- CloudFormation deployments
- CloudFoundry Baking
The usage of a non-safe constructor use allows arbitrary loading of Java classes leading to RCE.
Patches
2025.3.3, 2026.0.3 and 2025.4.4.
Workarounds
Disable the CloudFormation system and cloudfoundry baking operations.
Resources
Join Spinnaker on Slack for more information!
Correção
Deserialization of Untrusted Data
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Io.Spinnaker.Orca:Orca-Core
Io.Spinnaker.Rosco:Rosco-Core