CVE-2023-39348 | Improper log output when using GitHub Status Notifications in spinnaker

Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status is improperly set to FULL always. It's recommended to apply the patch and rotate the GitHub token used for github status notifications. Given that this would output github tokens to a log system, the risk is slightly higher than a "low" since token exposure could grant elevated access to repositories outside of control. If using READ restricted tokens, the exposure is such that the token itself could be used to access resources otherwise restricted from reads. This only affects users of GitHub Status Notifications. This issue has been addressed in pull request 1316. Users are advised to upgrade. Users unable to upgrade should disable GH Status Notifications, Filter their logs for Echo log data and use read-only tokens that are limited in scope.

Published: 2023-08-28 Last update: 2024-11-21 Assigner: [email protected] Source: [email protected]

NVD Status：Modified，CVE State: published

View at NVD, CVE.org, EUVD

Threat Intelligence & Risk Assessment for CVE-2023-39348

EPSS CVSS CWE GHSA Affected

Conclusion & alert: CVE-2023-39348 is rated Low Risk (33.9/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 0.27%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2023-39348

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-05-23	0.20%	0.27%	+0.07%
2	2025-03-17	0.05%	0.20%	+0.15%
3	2024-07-28	—	0.05%	—

Full EPSS history (4 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2023-39348

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
4.0	3.1	MEDIUM	`CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N` Click to expand Attack vector (AV:P) Hands-on access—USB, keyboard, opening the case—not something you do purely over the wire. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	0.9	2.7	[email protected]
5.3	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	3.9	1.4	[email protected]

Weakness enumeration for CVE-2023-39348

CWE-532 MITRE ↗

GitHub Security Advisory for CVE-2023-39348

GHSA-rq5c-hvw6-8pr7 · Severity: medium · Ecosystem: go — Improper log output when using GitHub Status Notifications in spinnaker

Affected software / configurations for CVE-2023-39348

Vendor	Product	Version	Raw CPE
linuxfoundation	spinnaker	< 1.28.8	cpe:2.3:a:linuxfoundation:spinnaker::::::::
linuxfoundation	spinnaker	>= 1.29.0, < 1.29.6	cpe:2.3:a:linuxfoundation:spinnaker::::::::
linuxfoundation	spinnaker	>= 1.30.0, < 1.30.3	cpe:2.3:a:linuxfoundation:spinnaker::::::::
linuxfoundation	spinnaker	1.30.0	cpe:2.3:a:linuxfoundation:spinnaker:1.30.0:::::::*

References for CVE-2023-39348

URL	Tags
https://github.com/spinnaker/echo/pull/1316	Patch
https://github.com/spinnaker/spinnaker/security/advisories/GHSA-rq5c-hvw6-8pr7	Vendor Advisory

cvelogic Threat Intelligence