CVE-2026-44795 — Spinnaker is an open source, multi-cloud continuous...
CVE-2026-44795 漏洞深度分析
漏洞概述
CVE 编号: CVE-2026-44795
CVSS 评分: 8.8(HIGH)
CVSS 向量: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE 分类: CWE-470,CWE-502
漏洞状态: Awaiting Analysis
发布时间: 2026-07-10T22:16:41.717
最后更新: 2026-07-14T15:17:01.840
漏洞描述
Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3, unsafe YAML processing bypasses safe deserialization when using CloudFormation deployments or CloudFoundry baking. The use of a non-safe constructor allows arbitrary loading of Java classes, leading to remote code execution. This issue is fixed in versions 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3.
影响分析
此漏洞的具体影响取决于实际利用场景。"
修复建议
- 及时关注厂商发布的安全更新和补丁
- 升级受影响组件到最新版本
- 如无法立即升级,参考厂商提供的临时缓解措施
- 加强网络访问控制和监控
参考链接
- https://github.com/spinnaker/spinnaker/commit/4cbe1d5fea9df573aadfd8b093fb4b594b354ee5
- https://github.com/spinnaker/spinnaker/commit/e57c0db4584b398473a7bbb19402ce6c1e89b627
- https://github.com/spinnaker/spinnaker/commit/f69d7b534d068ed74d0d3a1fbf17e2c945d36e5e
- https://github.com/spinnaker/spinnaker/security/advisories/GHSA-c8q4-9h32-2ww8
💬 评论