Jasonmcintosh

**Name of the Vulnerable Software and Affected Versions** Spinnaker (affected versions not specified) **Description** Spinnaker is an open source, multi-cloud continuous delivery platform. The log output when updating GitHub status is improperly set to FULL always, which could output GitHub tokens to a log system. This issue affects users of GitHub Status Notifications and may grant elevated access to repositories outside of control. If using READ restricted tokens, the exposure could allow access to resources otherwise restricted from reads. **Recommendations** To resolve the issue, apply the patch and rotate the GitHub token used for GitHub status notifications. As a temporary workaround, disable GH Status Notifications. Filter logs for Echo log data to minimize the risk of token exposure. Use read-only tokens that are limited in scope to reduce the impact of potential token exposure.

**Name of the Vulnerable Software and Affected Versions** Spinnaker's Rosco microservice versions prior to 1.29.2, 1.28.4, and 1.27.3 **Description** Spinnaker is an open source, multi-cloud continuous delivery platform for releasing software changes, and Spinnaker's Rosco microservice produces machine images. Rosco does not properly mask secrets generated via packer builds, which can lead to exposure of sensitive AWS credentials in packer log files. It is recommended to use short lived credentials via role assumption and IAM profiles, and to set credentials in `/home/spinnaker/.aws/credentials` and `/home/spinnaker/.aws/config` as a volume mount for Rosco pods. Using IAM Roles instead of long lived credentials drastically mitigates the risk of credentials exposure. If static credentials have been used, it is recommended to purge any bake logs for AWS, evaluate whether `AWS ACCESS KEY`, `SECRET KEY` and/or other sensitive data has been introduced in log files and bake job logs, and then rotate these credentials. **Recommendations** For versions prior to 1.29.2, update to version 1.29.2 or later. For versions prior to 1.28.4, update to version 1.28.4 or later. For versions prior to 1.27.3, update to version 1.27.3 or later. As a temporary workaround, consider using short lived credentials via role assumption and IAM profiles. Restrict access to sensitive data by setting credentials in `/home/spinnaker/.aws/credentials` and `/home/spinnaker/.aws/config` as a volume mount for Rosco pods. Avoid using static credentials and instead use IAM Roles to minimize the risk of credentials exposure.

**Name of the Vulnerable Software and Affected Versions** Spinnaker (affected versions not specified) **Description** A path traversal vulnerability was discovered in Spinnaker's use of TAR files by AppEngine for deployments. This vulnerability allows an attacker to override files on the container, potentially introducing a Man-in-the-Middle (MITM) type attack vector by replacing libraries or injecting wrapper files. The issue arises because the utility used to extract files locally for deployment does not validate the paths in the deployment, which could lead to system files being overridden. **Recommendations** For all affected versions, update Spinnaker as soon as possible. As a temporary workaround for users unable to update, consider disabling Google AppEngine deployments and/or disabling artifacts that provide TARs to minimize the risk of exploitation.