VYPR

Spinnaker

by Spinnaker

Source repositories

CVEs (7)

  • CVE-2026-25534CriMar 17, 2026
    risk 0.52cvss 9.1epss 0.00

    ### Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE (CVE-2025-61916)…

  • CVE-2026-44795higJun 22, 2026
    risk 0.45cvss epss

    ### Impact There's an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing: * CloudFormation deployments * CloudFoundry Baking The usage of a non-safe constructor use allows arbitrary loading of Java classes leading to…

  • CVE-2025-61916Jan 5, 2026
    risk 0.00cvss epss 0.00

    Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into…

  • CVE-2023-39348Aug 28, 2023
    risk 0.00cvss epss 0.00

    Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status is improperly set to FULL always. It's recommended to apply the patch and rotate the GitHub token used for github status notifications. Given that this would output…

  • CVE-2022-23506Jan 3, 2023
    risk 0.00cvss epss 0.01

    Spinnaker is an open source, multi-cloud continuous delivery platform for releasing software changes, and Spinnaker's Rosco microservice produces machine images. Rosco prior to versions 1.29.2, 1.28.4, and 1.27.3 does not property mask secrets generated via packer builds. This…

  • CVE-2021-43832Jan 4, 2022
    risk 0.00cvss epss 0.03

    Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allowing pipeline creation & execution. This lets an arbitrary user with access to the gate endpoint to create a pipeline and execute it without authentication. If users…

  • CVE-2021-39143Jan 4, 2022
    risk 0.00cvss epss 0.00

    Spinnaker is an open source, multi-cloud continuous delivery platform. A path traversal vulnerability was discovered in uses of TAR files by AppEngine for deployments. This uses a utility to extract files locally for deployment without validating the paths in that deployment…