CVE-2021-43832

Name of the Vulnerable Software and Affected Versions Spinnaker (affected versions not specified)

Description Spinnaker, an open source, multi-cloud continuous delivery platform, has improper permissions allowing pipeline creation and execution. This issue enables an arbitrary user with access to the gate endpoint to create a pipeline and execute it without authentication. If Role-based access control (RBAC) is not set up within Spinnaker, this allows remote execution and access to deploy almost any resources on any account.

Recommendations Upgrade to the latest releases of the supported branches as soon as possible. If unable to upgrade, enable RBAC on all accounts and applications to mitigate the ability of a pipeline to affect any accounts. Block application access unless permissions are enabled. Restrict all application creation via appropriate wildcards.