Plattform
java
Komponente
io.spinnaker.clouddriver:clouddriver-artifacts
Behoben in
2025.1.7
2025.2.1
2025.1.7
2025.2.4
2025.1.6
CVE-2025-61916 describes a Server-Side Request Forgery (SSRF) vulnerability within the io.spinnaker.clouddriver:clouddriver-artifacts component of Spinnaker. This vulnerability allows attackers to potentially extract sensitive data, including authentication information, by manipulating artifact configurations. The vulnerability impacts Spinnaker Clouddriver Artifacts versions up to and including main-99. A fix is available in version 2025.1.6.
The core impact of CVE-2025-61916 lies in the ability to trigger arbitrary HTTP requests from the Spinnaker server. An attacker can leverage this SSRF vulnerability to fetch data from remote URLs and inject it into Spinnaker pipelines, particularly through the use of Helm or other artifact types. This can lead to the exposure of sensitive information, such as idmsv1 authentication data, and the ability to call internal Spinnaker APIs. Furthermore, depending on the artifact configuration, authentication headers (e.g., GitHub authentication tokens) may be exposed to external endpoints, resulting in credential theft. The blast radius extends to any system accessible via the remote URL, potentially including internal services and external APIs.
CVE-2025-61916 was publicly disclosed on January 5, 2026. The vulnerability's impact, allowing for data exfiltration and potential credential theft, suggests a medium probability of exploitation. There are currently no publicly known active campaigns targeting this vulnerability, but the availability of SSRF vulnerabilities often leads to opportunistic exploitation. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Organizations utilizing Spinnaker for continuous delivery pipelines, particularly those relying on GitHub file artifacts or other artifact types that allow user input, are at risk. Environments with permissive network configurations or inadequate access controls are especially vulnerable. Shared hosting environments where multiple users share a Spinnaker instance should also be considered at higher risk.
• linux / server:
journalctl -u spinnaker -g "outbound request"• generic web:
curl -I <spinnaker_server_ip>/artifacts/some_artifact | grep -i 'Host:'disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-61916 is to upgrade Spinnaker Clouddriver Artifacts to version 2025.1.6 or later. Prior to upgrading, carefully review the release notes for any breaking changes that may impact existing pipelines or configurations. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting outbound network access from the Spinnaker server to only trusted domains. Web Application Firewalls (WAFs) can be configured to block suspicious outbound requests, particularly those targeting internal or sensitive endpoints. Monitor Spinnaker logs for unusual outbound HTTP requests that may indicate exploitation attempts.
Aktualisieren Sie Spinnaker auf Version 2025.1.6, 2025.2.3 oder 2025.3.0 oder höher. Alternativ können Sie HTTP-Kontotypen deaktivieren, die die URL-Eingabe durch den Benutzer ermöglichen. Erwägen Sie die Verwendung von OPA-Richtlinien, um den Zugriff auf ungültige URLs einzuschränken.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-61916 is a Server-Side Request Forgery vulnerability in Spinnaker Clouddriver Artifacts that allows attackers to fetch remote data and potentially expose sensitive information.
You are affected if you are using Spinnaker Clouddriver Artifacts versions ≤main-99. Upgrade to 2025.1.6 to mitigate the risk.
Upgrade Spinnaker Clouddriver Artifacts to version 2025.1.6 or later. Review release notes for potential breaking changes before upgrading.
There are currently no publicly known active campaigns targeting this vulnerability, but the SSRF nature suggests a potential for opportunistic exploitation.
Refer to the Spinnaker security advisories and release notes on the official Spinnaker website for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.