CVE-2021-43832— Improper Access Control in spinnaker

Improper Access Control in spinnaker

Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allowing pipeline creation & execution. This lets an arbitrary user with access to the gate endpoint to create a pipeline and execute it without authentication. If users haven't setup Role-based access control (RBAC) with-in spinnaker, this enables remote execution and access to deploy almost any resources on any account. Patches are available on the latest releases of the supported branches and users are advised to upgrade as soon as possible. Users unable to upgrade should enable RBAC on ALL accounts and applications. This mitigates the ability of a pipeline to affect any accounts. Block application access unless permission are enabled. Users should make sure ALL application creation is restricted via appropriate wildcards.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

关键功能的认证机制缺失

Spinnaker 访问控制错误漏洞

Spinnaker是一个持续交付平台。用于以高速度和信心发布软件变更。 Spinnaker 存在访问控制错误漏洞，该漏洞源于软件存在不适当的权限，允许管道创建和执行。这允许具有gate端点访问权的任意用户创建一个管道并在不需要身份验证的情况下执行它。如果用户没有在spinnaker中设置基于角色的访问控制(RBAC)，这将允许远程执行和访问在任何帐户上部署任何资源。

N/A

N/A