Skip to main content

CVE-2021-43832 - FavExploit- Spinnaker RCE Vulnerability in Gate

Issue

Armory has since published updates to the code for OSS and Armory Enterprise. The Spinnaker Security SIG received a report of a previously undisclosed RCE attack vector that bypasses authentication in Spinnaker. This exploit allows an actor to make any resourced API call through Gate without authentication. The documented exploit affects any Spinnaker version within the last four years, but was only discovered on Dec 14th, 2021 Armory has created a placeholder CVE that has not been made public yet.  We ask that customers upgrade to a version with the fix as soon as possible. ***Update Jan 3, 2022: ***The following CVE was published and made available today to the general public https://cve.report/CVE-2021-43832 ***Update Oct 28, 2022: ***Added CVE# to title for formatting purposes.  

Cause

RCE attack vector discovered  CVE-2021-43832 will be tracking this issue.  This article will be updated with a link to the CVE once it has been made public