Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/spinnaker/spinnaker: CVE-2023-39348 #2032

Closed
GoVulnBot opened this issue Aug 28, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/spinnaker/spinnaker: CVE-2023-39348 #2032

GoVulnBot opened this issue Aug 28, 2023 · 1 comment
Assignees
@neild
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2023-39348 references github.com/spinnaker/spinnaker, which may be a Go module.

Description:
Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status is improperly set to FULL always. It's recommended to apply the patch and rotate the GitHub token used for github status notifications. Given that this would output github tokens to a log system, the risk is slightly higher than a "low" since token exposure could grant elevated access to repositories outside of control. If using READ restricted tokens, the exposure is such that the token itself could be used to access resources otherwise restricted from reads. This only affects users of GitHub Status Notifications. This issue has been addressed in pull request 1316. Users are advised to upgrade. Users unable to upgrade should disable GH Status Notifications, Filter their logs for Echo log data and use read-only tokens that are limited in scope.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/spinnaker/spinnaker
      vulnerable_at: 0.83.0
      packages:
        - package: spinnaker
description: |-
    Spinnaker is an open source, multi-cloud continuous delivery platform. Log
    output when updating GitHub status is improperly set to FULL always. It's
    recommended to apply the patch and rotate the GitHub token used for github
    status notifications. Given that this would output github tokens to a log
    system, the risk is slightly higher than a "low" since token exposure could
    grant elevated access to repositories outside of control. If using READ
    restricted tokens, the exposure is such that the token itself could be used to
    access resources otherwise restricted from reads. This only affects users of
    GitHub Status Notifications. This issue has been addressed in pull request 1316.
    Users are advised to upgrade. Users unable to upgrade should disable GH Status
    Notifications, Filter their logs for Echo log data and use read-only tokens that
    are limited in scope.
cves:
    - CVE-2023-39348
references:
    - advisory: https://github.com/spinnaker/spinnaker/security/advisories/GHSA-rq5c-hvw6-8pr7
    - fix: https://github.com/spinnaker/echo/pull/1316
@neild neild self-assigned this Sep 14, 2023
@neild neild added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Sep 14, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/528596 mentions this issue: data/excluded: batch add 10 excluded reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neild @gopherbot @GoVulnBot