CVE-2023-39348 – Improper log output when using GitHub Status Notifications in spinnaker
https://notcve.org/view.php?id=CVE-2023-39348
Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status is improperly set to FULL always. It's recommended to apply the patch and rotate the GitHub token used for github status notifications. Given that this would output github tokens to a log system, the risk is slightly higher than a "low" since token exposure could grant elevated access to repositories outside of control. If using READ restricted tokens, the exposure is such that the token itself could be used to access resources otherwise restricted from reads. • https://github.com/spinnaker/echo/pull/1316 https://github.com/spinnaker/spinnaker/security/advisories/GHSA-rq5c-hvw6-8pr7 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2022-23506 – Spinnaker's Rosco microservice vulnerable to improper log masking on AWS Packer builds
https://notcve.org/view.php?id=CVE-2022-23506
Spinnaker is an open source, multi-cloud continuous delivery platform for releasing software changes, and Spinnaker's Rosco microservice produces machine images. Rosco prior to versions 1.29.2, 1.28.4, and 1.27.3 does not property mask secrets generated via packer builds. This can lead to exposure of sensitive AWS credentials in packer log files. Versions 1.29.2, 1.28.4, and 1.27.3 of Rosco contain fixes for this issue. A workaround is available. It's recommended to use short lived credentials via role assumption and IAM profiles. • https://github.com/spinnaker/rosco/commit/e80cfaa1abfb3a0e9026d45d6027291bfb815daf https://github.com/spinnaker/spinnaker/security/advisories/GHSA-2233-cqj8-j2q5 • CWE-532: Insertion of Sensitive Information into Log File •