CVE-2021-39143

Name of the Vulnerable Software and Affected Versions Spinnaker (affected versions not specified)

Description A path traversal vulnerability was discovered in Spinnaker's use of TAR files by AppEngine for deployments. This vulnerability allows an attacker to override files on the container, potentially introducing a Man-in-the-Middle (MITM) type attack vector by replacing libraries or injecting wrapper files. The issue arises because the utility used to extract files locally for deployment does not validate the paths in the deployment, which could lead to system files being overridden.

Recommendations For all affected versions, update Spinnaker as soon as possible. As a temporary workaround for users unable to update, consider disabling Google AppEngine deployments and/or disabling artifacts that provide TARs to minimize the risk of exploitation.