CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-39348 – Improper log output when using GitHub Status Notifications in spinnaker
https://notcve.org/view.php?id=CVE-2023-39348
28 Aug 2023 — Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status is improperly set to FULL always. It's recommended to apply the patch and rotate the GitHub token used for github status notifications. Given that this would output github tokens to a log system, the risk is slightly higher than a "low" since token exposure could grant elevated access to repositories outside of control. If using READ restricted tokens, the exposure is such that the token itself coul... • https://github.com/spinnaker/echo/pull/1316 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-23506 – Spinnaker's Rosco microservice vulnerable to improper log masking on AWS Packer builds
https://notcve.org/view.php?id=CVE-2022-23506
03 Jan 2023 — Spinnaker is an open source, multi-cloud continuous delivery platform for releasing software changes, and Spinnaker's Rosco microservice produces machine images. Rosco prior to versions 1.29.2, 1.28.4, and 1.27.3 does not property mask secrets generated via packer builds. This can lead to exposure of sensitive AWS credentials in packer log files. Versions 1.29.2, 1.28.4, and 1.27.3 of Rosco contain fixes for this issue. A workaround is available. • https://github.com/spinnaker/rosco/commit/e80cfaa1abfb3a0e9026d45d6027291bfb815daf • CWE-532: Insertion of Sensitive Information into Log File •