CVE-2021-43832 | Spinnaker is an open source, multi-cloud continuous delivery… | CVSS 10.0 CRITICAL

Description

Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allowing pipeline creation & execution. This lets an arbitrary user with access to the gate endpoint to create a pipeline and execute it without authentication. If users haven't setup Role-based access control (RBAC) with-in spinnaker, this enables remote execution and access to deploy almost any resources on any account. Patches are available on the latest releases of the supported branches and users are advised to upgrade as soon as possible. Users unable to upgrade should enable RBAC on ALL accounts and applications. This mitigates the ability of a pipeline to affect any accounts. Block application access unless permission are enabled. Users should make sure ALL application creation is restricted via appropriate wildcards.

Metadata

CVE ID: CVE-2021-43832
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2021-11-16 00:00 UTC
Published: 2022-01-04 19:20 UTC
Last updated: 2025-04-23 19:15 UTC
Primary CWE: CWE-306
CWE-306: Missing Authentication for Critical Function
Vendor / Product: spinnaker / spinnaker
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
spinnaker	spinnaker	—	>= 1.26.0, < 1.26.7, < 1.25.8

Weakness (CWE)

CWE	Source	Description
CWE-306	cna	CWE-306: Missing Authentication for Critical Function

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

References (1)

https://github.com/spinnaker/spinnaker/security/advisories/GHSA-9h7c-rfrp-gvgp