Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-39143: Build software better, together

Spinnaker is an open source, multi-cloud continuous delivery platform. A path traversal vulnerability was discovered in uses of TAR files by AppEngine for deployments. This uses a utility to extract files locally for deployment without validating the paths in that deployment don’t override system files. This would allow an attacker to override files on the container, POTENTIALLY introducing a MITM type attack vector by replacing libraries or injecting wrapper files. Users are advised to update as soon as possible. For users unable to update disable Google AppEngine deployments and/or disable artifacts that provide TARs.

CVE
Open in Source
#vulnerability#google#git#java

Impact

A path traversal vulnerability was discovered in uses of TAR files by AppEngine for deployments. This uses a utility to extract files locally for deployment without validating the paths in that deployment don’t override system files. This would allow an attacker to override files on the container, POTENTIALLY introducing a MITM type attack vector by replacing libraries or injecting wrapper files.

Patches

Incoming…

Workarounds

Disable Google AppEngine deployments and/or disable artifacts that provide TARs.

References

To be updated. Reference examples:
https://bugzilla.redhat.com/show_bug.cgi?id=1584388

Code area (as of release 1.26):
https://github.com/spinnaker/clouddriver/blob/release-1.26.x/clouddriver-appengine/src/main/java/com/netflix/spinnaker/clouddriver/appengine/artifacts/ArtifactUtils.java

For more information

Email [email protected]

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE