Spinnaker
Monthly
Remote code execution in Spinnaker's Rosco bakery service allows an authenticated user to run arbitrary code on Rosco pods by supplying a manifest that abuses unsafe YAML tag processing during Kustomize bake operations. The flaw (CWE-502 unsafe deserialization) affects release lines prior to 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4, and grants full compromise of the affected pod (C:H/I:H/A:H). No public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor-published GitHub Security Advisory (GHSA-p68j-q7hf-3qcp) and multiple fix commits confirm the issue is real and patched.
Remote code execution in Spinnaker's clouddriver component allows authenticated attackers to execute arbitrary commands on clouddriver pods via gitrepo artifact processing. Affects all versions prior to patched releases 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2. The vulnerability enables credential theft, file manipulation, and resource injection with minimal complexity (CVSS 9.9, AV:N/AC:L/PR:L). EPSS data not available; no public exploit or active exploitation confirmed at time of analysis, but the attack simplicity and multi-cloud CD platform context create high risk for supply chain compromise in containerized environments.
Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. [CVSS 7.9 HIGH]
Spinnaker is an open source, multi-cloud continuous delivery platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior to version 1.23.4, 1.22.4 or 1.21.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Remote code execution in Spinnaker's Rosco bakery service allows an authenticated user to run arbitrary code on Rosco pods by supplying a manifest that abuses unsafe YAML tag processing during Kustomize bake operations. The flaw (CWE-502 unsafe deserialization) affects release lines prior to 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4, and grants full compromise of the affected pod (C:H/I:H/A:H). No public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor-published GitHub Security Advisory (GHSA-p68j-q7hf-3qcp) and multiple fix commits confirm the issue is real and patched.
Remote code execution in Spinnaker's clouddriver component allows authenticated attackers to execute arbitrary commands on clouddriver pods via gitrepo artifact processing. Affects all versions prior to patched releases 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2. The vulnerability enables credential theft, file manipulation, and resource injection with minimal complexity (CVSS 9.9, AV:N/AC:L/PR:L). EPSS data not available; no public exploit or active exploitation confirmed at time of analysis, but the attack simplicity and multi-cloud CD platform context create high risk for supply chain compromise in containerized environments.
Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. [CVSS 7.9 HIGH]
Spinnaker is an open source, multi-cloud continuous delivery platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior to version 1.23.4, 1.22.4 or 1.21.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.