PT-2020-20576 · Netflix · Spinnaker

Nolan Ray

Published

2020-12-11

Updated

2020-12-14

CVE-2020-9301

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Spinnaker versions prior to 1.23.4 Spinnaker versions prior to 1.22.4 Spinnaker versions prior to 1.21.5

Description A security issue exists in the handling of SpEL expressions, allowing an attacker to read and write arbitrary files within the orca container via authenticated HTTP POST requests.

Recommendations For versions prior to 1.23.4, update to version 1.23.4 or later. For versions prior to 1.22.4, update to version 1.22.4 or later. For versions prior to 1.21.5, update to version 1.21.5 or later.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2020-9301

Affected Products

Spinnaker

PT-2020-20576 · Netflix · Spinnaker

CVE-2020-9301

Weakness Enumeration

Related Identifiers

Affected Products

References · 3