CVE-2023-39348: 
vulnerability analysis and mitigation

Spinnaker, an open source multi-cloud continuous delivery platform, was found to have a vulnerability where log output when updating GitHub status was improperly set to FULL always. The vulnerability was assigned CVE-2023-39348 and was disclosed on August 28, 2023. This issue affects multiple versions of Spinnaker including versions prior to 1.28.8, 1.29.6, 1.30.3, and 1.31.1 (NVD, GitHub Advisory).

The vulnerability stems from improper logging configuration where GitHub status updates are always set to FULL logging mode. This results in sensitive information, specifically GitHub tokens, being exposed in log systems. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The issue has been classified under CWE-532 (Insertion of Sensitive Information into Log File) (NVD).

The exposure of GitHub tokens in log systems could grant elevated access to repositories outside of intended control. Even with READ restricted tokens, the exposure could allow unauthorized access to resources that should be restricted from reads. This vulnerability specifically affects users who have implemented GitHub Status Notifications (GitHub Advisory).

Several mitigation steps are recommended: 1) Apply the patch provided in pull request 1316, 2) Rotate any GitHub tokens used for GitHub status notifications, 3) For users unable to upgrade, disable GitHub Status Notifications, 4) Filter logs for Echo log data, and 5) Use read-only tokens with limited scope. The issue has been addressed in the latest releases of the supported branches (GitHub PR, GitHub Advisory).