CVE-2020-9301
Last modified
CVE-2020-9301 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior to version 1.23.4, 1.22.4 or 1.21.5. The vulnerability exists within the handling of SpEL expressions that allows an attacker to read and write arbitrary files within the orca container via authenticated HTTP POST requests.. EPSS estimates a 1.50% chance of exploitation in the next 30 days.
Description
Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior to version 1.23.4, 1.22.4 or 1.21.5. The vulnerability exists within the handling of SpEL expressions that allows an attacker to read and write arbitrary files within the orca container via authenticated HTTP POST requests.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Spinnaker | < 1.21.5 |
| Linuxfoundation | Spinnaker | >= 1.22.0, < 1.22.4 |
| Linuxfoundation | Spinnaker | >= 1.23.0, < 1.23.4 |
References
- https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-006.mdPatch, Third Party Advisory
- https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-006.mdPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-9301?
How severe is CVE-2020-9301?
How do I fix CVE-2020-9301?
Are you affected by CVE-2020-9301?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST