{
  "variant_id": "cve-2026-55175-kustomize4-alt-entrypoint",
  "created_at": "2026-07-15T13:30:00Z",
  "variant_summary": "KUSTOMIZE4 sibling bake endpoint (POST /api/v2/manifest/bake/KUSTOMIZE4) is an alternate entry point to the same KustomizationFileReader.convert() unsafe-YAML-tag sink. Reproduced RCE on the vulnerable version; the SafeConstructor fix covers this path (no bypass).",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/spinnaker/spinnaker.git",
  "submitted_target": {
    "target_kind": "commit",
    "commit_sha": "f5cec213f8cf207843ed5a6929395960a1ca094f",
    "display": "fixed commit f5cec213f8cf207843ed5a6929395960a1ca094f"
  },
  "variant_target": {
    "target_kind": "commit",
    "commit_sha": "f5cec213f8cf207843ed5a6929395960a1ca094f",
    "version": "2026.1.1-line",
    "ref": "f5cec213f8cf207843ed5a6929395960a1ca094f",
    "display": "fixed commit f5cec213f8cf207843ed5a6929395960a1ca094f (tested for bypass via KUSTOMIZE4)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "POST /api/v2/manifest/bake/KUSTOMIZE4 with templateRenderer=KUSTOMIZE4 and a github/file inputArtifact whose kustomization.yaml contains a !!javax.script.ScriptEngineManager YAML tag",
  "attacker_controlled_input": "malicious kustomization.yaml served as Rosco KUSTOMIZE4 bake input artifact via Clouddriver artifact fetch",
  "trigger_path": "POST /api/v2/manifest/bake/KUSTOMIZE4 -> V2BakeryController.doBake -> KustomizeBakeManifestService.bake -> KustomizeTemplateUtils.buildBakeRecipe -> oldBuildBakeRecipe -> getFilesFromArtifact -> KustomizationFileReader.getKustomization -> KustomizationFileReader.convert (SnakeYAML load)",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "is_bypass": false,
  "claim_block_reason": null,
  "blocking_mitigation": "SafeConstructor + Jackson convertValue in KustomizationFileReader.convert covers the KUSTOMIZE4 dispatch path (same shared sink).",
  "file_path": "rosco/rosco-manifests/src/main/java/com/netflix/spinnaker/rosco/manifests/kustomize/KustomizationFileReader.java",
  "line_start": 96,
  "line_end": 102,
  "secondary_anchors": [
    {
      "file_path": "rosco/rosco-web/src/main/groovy/com/netflix/spinnaker/rosco/controllers/V2BakeryController.java",
      "line_start": 38,
      "line_end": 56
    },
    {
      "file_path": "rosco/rosco-manifests/src/main/java/com/netflix/spinnaker/rosco/manifests/kustomize/KustomizeBakeManifestService.java",
      "line_start": 37,
      "line_end": 45
    },
    {
      "file_path": "rosco/rosco-manifests/src/main/java/com/netflix/spinnaker/rosco/manifests/kustomize/KustomizeTemplateUtils.java",
      "line_start": 190,
      "line_end": 200
    }
  ],
  "review_scope_paths": [
    "rosco/rosco-manifests/src/main/java/com/netflix/spinnaker/rosco/manifests/kustomize/KustomizationFileReader.java",
    "rosco/rosco-manifests/src/main/java/com/netflix/spinnaker/rosco/manifests/kustomize/KustomizeBakeManifestService.java",
    "rosco/rosco-manifests/src/main/java/com/netflix/spinnaker/rosco/manifests/kustomize/KustomizeTemplateUtils.java",
    "rosco/rosco-web/src/main/groovy/com/netflix/spinnaker/rosco/controllers/V2BakeryController.java"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh",
      "bundle/vuln_variant/vulnerable_attempt_1.evidence.txt",
      "bundle/vuln_variant/fixed_attempt_1.evidence.txt"
    ]
  }
}
