Spinnaker: RCE via expression parsing due to unrestricted context handling
Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. Unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enables a user to use arbitrary java classes which allow deep access to the system. This enables the ability to invoke commands, access files, etc.