Advisory ID:
NFLX-2020-003
Advisory Title:
Authenticated Server-Side Request Forgery in Spinnaker
Credit:
Venkat from armory.io
Author:
Dan Kohlbrenner / dkohlbrenner@netflix.com
Release Date:
05/29/2020
Application:
Spinnaker (specifically Orca)
Release:
orca < v8.7.0
Source:
https://github.com/spinnaker/orca
Severity:
Critical
Overview:
Venkat discovered that the Spinnaker template resolution functionality is vulnerable to the Server-Side Request Forgery on the /pipelineTemplate endpoint. It is recommended that users update to the v8.7.0 release.
Patch:
orca < v8.7.0 https://github.com/spinnaker/orca/releases/tag/v8.7.0