CVE-2023-39348

Name of the Vulnerable Software and Affected Versions Spinnaker (affected versions not specified)

Description Spinnaker is an open source, multi-cloud continuous delivery platform. The log output when updating GitHub status is improperly set to FULL always, which could output GitHub tokens to a log system. This issue affects users of GitHub Status Notifications and may grant elevated access to repositories outside of control. If using READ restricted tokens, the exposure could allow access to resources otherwise restricted from reads.

Recommendations To resolve the issue, apply the patch and rotate the GitHub token used for GitHub status notifications. As a temporary workaround, disable GH Status Notifications. Filter logs for Echo log data to minimize the risk of token exposure. Use read-only tokens that are limited in scope to reduce the impact of potential token exposure.