CVE-2023-39348
CVE-2023-39348 is a medium-severity vulnerability in Linuxfoundation Spinnaker with a CVSS 3.x base score of 4.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-532.
Key facts
- Severity: Medium (CVSS 3.x base score 4.0)
- EPSS exploit prediction: 0% (24th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-532
- Affected product: Linuxfoundation Spinnaker
- Published:
- Last modified:
Description
Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status is improperly set to FULL always. It's recommended to apply the patch and rotate the GitHub token used for github status notifications. Given that this would output github tokens to a log system, the risk is slightly higher than a "low" since token exposure could grant elevated access to repositories outside of control. If using READ restricted tokens, the exposure is such that the token itself could be used to access resources otherwise restricted from reads. This only affects users of GitHub Status Notifications. This issue has been addressed in pull request 1316. Users are advised to upgrade. Users unable to upgrade should disable GH Status Notifications, Filter their logs for Echo log data and use read-only tokens that are limited in scope.
Frequently asked questions
- What is CVE-2023-39348?
- Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status is improperly set to FULL always. It's recommended to apply the patch and rotate the GitHub token used for github status notifications. Given that this would output github tokens to a log system, the risk is slightly higher than a "low" since token exposure could grant elevated access to repositories outside of control. If using READ restricted tokens, the exposure is such that the token itself could be used to access resources otherwise restricted from reads. This only affects users of GitHub Status Notifications. This issue has been addressed in pull request 1316. Users are advised to upgrade. Users unable to upgrade should disable GH Status Notifications, Filter their logs for Echo log data and use read-only tokens that are limited in scope.
- How severe is CVE-2023-39348?
- CVE-2023-39348 has a CVSS 3.x base score of 4.0, rated medium severity. It is exploitable over physical access with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2023-39348 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (24th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-39348?
- CVE-2023-39348 primarily affects Linuxfoundation Spinnaker. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-39348?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-39348 published?
- CVE-2023-39348 was published on 2023-08-28 and last updated on 2026-06-17.
References
- https://github.com/spinnaker/echo/pull/1316
- https://github.com/spinnaker/spinnaker/security/advisories/GHSA-rq5c-hvw6-8pr7
Affected products (2)
- cpe:2.3:a:linuxfoundation:spinnaker:*:*:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:spinnaker:1.30.0:*:*:*:*:*:*:*
More vulnerabilities in Linuxfoundation Spinnaker
- CVE-2021-43832 — Critical (CVSS 10.0): Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allowing…
- CVE-2026-32613 — Critical (CVSS 9.9): Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring…
- CVE-2026-32604 — Critical (CVSS 9.9): Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1,…
- CVE-2020-9301 — High (CVSS 8.8): Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior to…
- CVE-2025-61916 — High (CVSS 7.9): Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and…
- CVE-2021-39143 — Medium (CVSS 6.6): Spinnaker is an open source, multi-cloud continuous delivery platform. A path traversal vulnerability was discovered in…
All CVEs affecting Linuxfoundation Spinnaker →
Other CWE-532 (Insertion of Sensitive Information into Log File) vulnerabilities
- CVE-2022-36407 — Critical (CVSS 9.9): Insertion of Sensitive Information into Log File vulnerability in Hitachi Virtual Storage Platform, Hitachi Virtual…
- CVE-2023-40029 — Critical (CVSS 9.9): Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively…
- CVE-2021-32724 — Critical (CVSS 9.9): check-spelling is a github action which provides CI spell checking. In affected versions and for a repository with the…
- CVE-2026-49200 — Critical (CVSS 9.8): The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file…
- CVE-2026-22778 — Critical (CVSS 9.8): vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid…
- CVE-2025-11008 — Critical (CVSS 9.8): The CE21 Suite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and…
Browse all CWE-532 (Insertion of Sensitive Information into Log File) vulnerabilities →