CVE-2023-39348 – Improper log output when using GitHub Status Notifications in spinnaker
https://notcve.org/view.php?id=CVE-2023-39348
Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status is improperly set to FULL always. It's recommended to apply the patch and rotate the GitHub token used for github status notifications. Given that this would output github tokens to a log system, the risk is slightly higher than a "low" since token exposure could grant elevated access to repositories outside of control. If using READ restricted tokens, the exposure is such that the token itself could be used to access resources otherwise restricted from reads. • https://github.com/spinnaker/echo/pull/1316 https://github.com/spinnaker/spinnaker/security/advisories/GHSA-rq5c-hvw6-8pr7 • CWE-532: Insertion of Sensitive Information into Log File •