GHSA-c8q4-9h32-2ww8

Suggest an improvement
Source
https://github.com/advisories/GHSA-c8q4-9h32-2ww8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c8q4-9h32-2ww8/GHSA-c8q4-9h32-2ww8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-c8q4-9h32-2ww8
Aliases
  • CVE-2026-44795
Published
2026-06-22T20:43:37Z
Modified
2026-06-22T21:00:08.671872709Z
Severity
  • 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N CVSS Calculator
Summary
Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types
Details

Impact

There's an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing: * CloudFormation deployments * CloudFoundry Baking

The usage of a non-safe constructor use allows arbitrary loading of Java classes leading to RCE.

Patches

2025.3.3, 2026.0.3 and 2025.4.4.

Workarounds

Disable the CloudFormation system and cloudfoundry baking operations.

Resources

Join Spinnaker on Slack for more information!

Database specific 
{
    "github_reviewed_at": "2026-06-22T20:43:37Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-470",
        "CWE-502"
    ],
    "github_reviewed": true,
    "nvd_published_at": null
}
References

Affected packages

Maven
io.spinnaker.rosco:rosco-core

Package

Name
io.spinnaker.rosco:rosco-core
View open source insights on deps.dev
Purl
pkg:maven/io.spinnaker.rosco/rosco-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2025.3.3

Affected versions

Other
main-5
main-6
main-7
main-8
main-9
main-10
main-11
main-12
main-13
main-14
main-15
main-16
main-17
main-18
main-19
main-20
main-21
main-22
main-23
main-24
main-30
main-31
main-32
main-33
main-34
main-35
main-36
main-37
main-38
main-39
main-40
main-41
main-42
main-43
main-44
main-45
main-46
main-47
main-48
main-49
main-50
main-51
main-52
main-53
main-54
main-55
main-56
main-57
main-58
main-59
main-60
main-61
main-62
main-63
main-64
main-65
main-66
main-67
main-68
main-69
main-70
main-71
main-72
main-73
main-74
main-75
main-76
main-77
main-78
main-79
main-80
main-81
main-84
main-85
main-86
main-87
main-88
main-89
main-90
main-91
main-92
main-93
main-94
main-95
main-96
main-97
main-98
main-99
main-100
main-101
main-102
main-103
main-104
main-105
main-107
main-108
main-109
main-110
main-111
main-112
main-113
main-114
main-115
main-116
main-117
main-118
main-119
main-120
main-121
main-122
main-123
main-124
main-125
main-126
main-127
main-128
main-129
main-130
main-131
main-132
main-133
main-134
main-135
main-136
main-137
main-138
main-139
main-140
main-141
main-142
main-143
main-144
main-145
main-146
main-147
main-148
main-149
main-150
main-151
main-152
main-153
main-154
main-155
main-156
main-157
main-158
main-159
main-160
main-161
main-162
main-163
main-164
main-165
main-166
main-167
main-168
main-169
main-170
main-171
main-172
main-173
main-174
main-175
main-176
main-177
main-178
main-179
main-180
main-181
main-182
main-183
main-184
main-185
main-186
main-187
main-188
main-189
main-190
main-191
main-192
main-193
main-194
main-195
main-196
main-197
main-198
main-199
main-200
main-201
main-202
main-203
main-204
main-205
main-206
main-207
main-208
main-209
main-210
main-211
main-212
main-213
main-214
main-215
main-216
main-217
main-218
main-219
main-220
main-221
main-222
main-223
main-224
main-225
main-226
main-227
main-228
main-229
main-230
main-231
main-232
main-233
main-234
main-235
main-236
main-237
main-239
main-241
1.*
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.8.0-rc.1
1.8.0-rc.2
1.8.0-rc.3
1.8.0-rc.4
1.8.0-rc.5
1.8.0-rc.6
1.8.0-rc.7
1.8.0-rc.8
1.8.0-rc.9
1.8.0-rc.10
1.8.0-rc.11
1.8.0-rc.12
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.7
1.9.0
1.10.0
1.11.0
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.13.0
1.13.1
1.13.2
1.13.3
1.13.4
1.14.0
1.15.0
1.16.0
1.17.0
1.17.1
1.17.2
1.18.0
1.18.1
1.18.2
1.19.0
1.19.1
1.20.0
1.20.1
1.20.2
1.20.3
1.21.0
1.21.1
1.22.0
1.22.1
1.22.2
1.23.0
1.23.1
1.24.0
1.25.0
1.26.0
2025.*
2025.0-0
2025.0.0
2025.0-1
2025.0-2
2025.0-3
2025.0-4
2025.0-5
2025.0-6
2025.0-7
2025.0-8
2025.0-9
2025.0-10
2025.0-11
2025.0-12
2025.0-13
2025.0-14
2025.0-15
2025.0-16
2025.0-17
2025.0-18
2025.0-19
2025.0-20
2025.0-21
2025.0-22
2025.0-23
2025.0-24
2025.0-25
2025.0.1
2025.0.2
2025.0.3
2025.0.4
2025.0.5
2025.0.6
2025.0.7
2025.0.8
2025.1-0
2025.1.0
2025.1-1
2025.1-2
2025.1-3
2025.1-4
2025.1-5
2025.1-6
2025.1-7
2025.1-8
2025.1-9
2025.1-10
2025.1-11
2025.1-12
2025.1-13
2025.1-14
2025.1-15
2025.1-16
2025.1-17
2025.1-18
2025.1-19
2025.1-20
2025.1-21
2025.1-22
2025.1.1
2025.1.2
2025.1.3
2025.1.4
2025.1.5
2025.1.6
2025.2-0
2025.2.0
2025.2-1
2025.2-2
2025.2-3
2025.2-4
2025.2-5
2025.2-6
2025.2-7
2025.2-8
2025.2-9
2025.2-10
2025.2-11
2025.2-12
2025.2-13
2025.2-14
2025.2-15
2025.2-16
2025.2.1
2025.2.2
2025.2.3
2025.2.4
2025.3-0
2025.3.0
2025.3-1
2025.3-2
2025.3-3
2025.3-4
2025.3-5
2025.3-6
2025.3-7
2025.3-8
2025.3-9
2025.3-11
2025.3-12
2025.3.1
2025.3.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c8q4-9h32-2ww8/GHSA-c8q4-9h32-2ww8.json"
io.spinnaker.orca:orca-core

Package

Name
io.spinnaker.orca:orca-core
View open source insights on deps.dev
Purl
pkg:maven/io.spinnaker.orca/orca-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2025.3.3

Affected versions

Other
main-5
main-6
main-7
main-8
main-9
main-10
main-11
main-12
main-13
main-14
main-15
main-16
main-17
main-18
main-19
main-20
main-21
main-22
main-23
main-24
main-30
main-31
main-32
main-33
main-34
main-35
main-36
main-37
main-38
main-39
main-40
main-41
main-42
main-43
main-44
main-45
main-46
main-47
main-48
main-49
main-50
main-51
main-52
main-53
main-54
main-55
main-56
main-57
main-58
main-59
main-60
main-61
main-62
main-63
main-64
main-65
main-66
main-67
main-68
main-69
main-70
main-71
main-72
main-73
main-74
main-75
main-76
main-77
main-78
main-79
main-80
main-81
main-84
main-85
main-86
main-87
main-88
main-89
main-90
main-91
main-92
main-93
main-94
main-95
main-96
main-97
main-98
main-99
main-100
main-101
main-102
main-103
main-104
main-105
main-106
main-107
main-108
main-109
main-110
main-111
main-113
main-114
main-115
main-116
main-117
main-118
main-119
main-120
main-121
main-122
main-123
main-124
main-125
main-126
main-127
main-128
main-129
main-130
main-131
main-132
main-133
main-134
main-135
main-136
main-137
main-138
main-139
main-140
main-141
main-142
main-143
main-144
main-145
main-146
main-147
main-148
main-149
main-150
main-151
main-152
main-153
main-154
main-155
main-156
main-157
main-158
main-159
main-160
main-161
main-162
main-163
main-164
main-165
main-166
main-167
main-168
main-169
main-170
main-171
main-172
main-173
main-174
main-175
main-176
main-177
main-178
main-179
main-180
main-181
main-182
main-183
main-184
main-185
main-186
main-187
main-188
main-189
main-190
main-191
main-192
main-193
main-194
main-195
main-196
main-197
main-198
main-199
main-200
main-201
main-202
main-203
main-204
main-205
main-206
main-207
main-208
main-209
main-210
main-211
main-212
main-213
main-214
main-215
main-216
main-217
main-218
main-219
main-220
main-222
main-223
main-224
main-225
main-226
main-227
main-228
main-229
main-230
main-231
main-232
main-233
main-234
main-235
main-236
main-237
main-239
main-241
8.*
8.15.0
8.16.0
8.17.1
8.18.0
8.18.2
8.18.3
8.18.4
8.18.5
8.18.6
8.18.7
8.18.8
8.18.9
8.18.10
8.18.11
8.20.0
8.21.0
8.22.0
8.23.0
8.24.1
8.24.2
8.24.3
8.24.4
8.24.5
8.24.6
8.24.7
8.24.8
8.24.9
8.25.0
8.26.0
8.27.0
8.27.1
8.27.2
8.27.3
8.27.4
8.27.5
8.27.6
8.28.0
8.29.0
8.30.0
8.31.0
8.31.1
8.31.2
8.31.3
8.31.4
8.31.5
8.31.6
8.32.0
8.33.0
8.33.1
8.33.2
8.34.0
8.35.0
8.36.0
8.36.1
8.36.2
8.37.0
8.38.0
8.39.0
8.40.0
8.41.0
8.42.0
8.44.0
8.45.0
8.47.0
8.48.0
8.48.1
8.48.2
8.48.3
8.49.0
8.50.0
8.51.0
8.51.1
8.51.2
8.51.3
8.52.0
8.53.0
8.54.0
8.54.1
8.55.0
8.56.0
8.57.0
8.57.1
8.57.2
8.58.0
8.59.0
8.60.0
8.61.0
8.61.1
8.61.2
8.62.0
8.63.0
8.64.0
2025.*
2025.0-0
2025.0.0
2025.0-1
2025.0-2
2025.0-3
2025.0-4
2025.0-5
2025.0-6
2025.0-7
2025.0-8
2025.0-9
2025.0-10
2025.0-12
2025.0-13
2025.0-14
2025.0-15
2025.0-16
2025.0-17
2025.0-18
2025.0-19
2025.0-20
2025.0-21
2025.0-22
2025.0-23
2025.0-24
2025.0-25
2025.0.1
2025.0.2
2025.0.3
2025.0.4
2025.0.5
2025.0.6
2025.0.7
2025.0.8
2025.1-0
2025.1.0
2025.1-1
2025.1-2
2025.1-3
2025.1-4
2025.1-5
2025.1-6
2025.1-7
2025.1-8
2025.1-9
2025.1-10
2025.1-11
2025.1-12
2025.1-13
2025.1-14
2025.1-15
2025.1-16
2025.1-17
2025.1-18
2025.1-19
2025.1-20
2025.1-21
2025.1-22
2025.1.1
2025.1.2
2025.1.3
2025.1.4
2025.1.5
2025.1.6
2025.2-0
2025.2.0
2025.2-1
2025.2-2
2025.2-3
2025.2-4
2025.2-5
2025.2-6
2025.2-7
2025.2-8
2025.2-9
2025.2-10
2025.2-11
2025.2-12
2025.2-13
2025.2-14
2025.2-15
2025.2-16
2025.2.1
2025.2.2
2025.2.3
2025.2.4
2025.3-0
2025.3.0
2025.3-1
2025.3-2
2025.3-3
2025.3-4
2025.3-5
2025.3-6
2025.3-7
2025.3-8
2025.3-9
2025.3-10
2025.3-11
2025.3-12
2025.3.1
2025.3.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c8q4-9h32-2ww8/GHSA-c8q4-9h32-2ww8.json"
io.spinnaker.rosco:rosco-core

Package

Name
io.spinnaker.rosco:rosco-core
View open source insights on deps.dev
Purl
pkg:maven/io.spinnaker.rosco/rosco-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2025.4.0
Fixed
2025.4.4

Affected versions

2025.*
2025.4-0
2025.4.0
2025.4-1
2025.4-2
2025.4-3
2025.4-4
2025.4-5
2025.4-6
2025.4-7
2025.4-8
2025.4-9
2025.4-10
2025.4-11
2025.4-12
2025.4-13
2025.4-14
2025.4-15
2025.4-16
2025.4-17
2025.4-18
2025.4-19
2025.4-20
2025.4-21
2025.4.1
2025.4.2
2025.4.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c8q4-9h32-2ww8/GHSA-c8q4-9h32-2ww8.json"
io.spinnaker.rosco:rosco-core

Package

Name
io.spinnaker.rosco:rosco-core
View open source insights on deps.dev
Purl
pkg:maven/io.spinnaker.rosco/rosco-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2026.0.0
Fixed
2026.0.3

Affected versions

2026.*
2026.0-0
2026.0.0
2026.0-1
2026.0-2
2026.0-3
2026.0-4
2026.0-5
2026.0-6
2026.0-7
2026.0-8
2026.0-9
2026.0-10
2026.0-11
2026.0-12
2026.0-13
2026.0-14
2026.0-15
2026.0-16
2026.0-17
2026.0-18
2026.0.1
2026.0.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c8q4-9h32-2ww8/GHSA-c8q4-9h32-2ww8.json"
io.spinnaker.orca:orca-core

Package

Name
io.spinnaker.orca:orca-core
View open source insights on deps.dev
Purl
pkg:maven/io.spinnaker.orca/orca-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2025.4.0
Fixed
2025.4.4

Affected versions

2025.*
2025.4-0
2025.4.0
2025.4-1
2025.4-2
2025.4-3
2025.4-4
2025.4-5
2025.4-6
2025.4-7
2025.4-8
2025.4-9
2025.4-10
2025.4-11
2025.4-12
2025.4-13
2025.4-14
2025.4-15
2025.4-16
2025.4-17
2025.4-18
2025.4-19
2025.4-20
2025.4-21
2025.4.1
2025.4.2
2025.4.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c8q4-9h32-2ww8/GHSA-c8q4-9h32-2ww8.json"
io.spinnaker.orca:orca-core

Package

Name
io.spinnaker.orca:orca-core
View open source insights on deps.dev
Purl
pkg:maven/io.spinnaker.orca/orca-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2026.0.0
Fixed
2026.0.3

Affected versions

2026.*
2026.0-0
2026.0.0
2026.0-1
2026.0-2
2026.0-3
2026.0-4
2026.0-5
2026.0-6
2026.0-7
2026.0-8
2026.0-9
2026.0-10
2026.0-11
2026.0-12
2026.0-13
2026.0-14
2026.0-15
2026.0-16
2026.0-17
2026.0-18
2026.0.1
2026.0.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c8q4-9h32-2ww8/GHSA-c8q4-9h32-2ww8.json"