Dismissed
(no matching packages found)
Permalink
CVE-2026-55175
7.5 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
Activity log
- Created & dismissed (no matching packages found) suggestion
Spinnaker: Improper yaml processing on kustomize bake operations
Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pods when performing Kustomize bakes. This issue is fixed in versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4.
References
-
https://github.com/spinnaker/spinnaker/security/advisories/GHSA-p68j-q7hf-3qcp x_refsource_CONFIRM
-
https://github.com/spinnaker/spinnaker/releases/tag/rosco-2025.3.4 x_refsource_MISC
-
https://github.com/spinnaker/spinnaker/releases/tag/rosco-2025.4.4 x_refsource_MISC
-
https://github.com/spinnaker/spinnaker/releases/tag/rosco-2026.0.3 x_refsource_MISC
-
https://github.com/spinnaker/spinnaker/releases/tag/rosco-2026.1.1 x_refsource_MISC
-
https://github.com/spinnaker/spinnaker/releases/tag/rosco-2026.2.0 x_refsource_MISC
Affected products
spinnaker
- ==>= 2025.4.0, < 2025.4.4
- ==>= 2026.1.0, < 2026.1.1
- ==< 2025.3.4
- ==>= 2026.0.0, < 2026.0.3