Sébastien Kaul

**Name of the Vulnerable Software and Affected Versions** Spinnaker (affected versions not specified) **Description** Spinnaker, an open source, multi-cloud continuous delivery platform, has improper permissions allowing pipeline creation and execution. This issue enables an arbitrary user with access to the `gate endpoint` to create a pipeline and execute it without authentication. If Role-based access control (RBAC) is not set up within Spinnaker, this allows remote execution and access to deploy almost any resources on any account. **Recommendations** Upgrade to the latest releases of the supported branches as soon as possible. If unable to upgrade, enable RBAC on all accounts and applications to mitigate the ability of a pipeline to affect any accounts. Block application access unless permissions are enabled. Restrict all application creation via appropriate wildcards.