CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-41111 – Authorization Bypass Through User-Controlled Key in Rundeck
https://notcve.org/view.php?id=CVE-2021-41111
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. There are patches for this vulnerability in versions 3.4.5 and 3.3.15. • https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5 https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2021-39133 – Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server
https://notcve.org/view.php?id=CVE-2021-39133
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, a user with `admin` access to the `system` resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all Rundeck editions. Patches are available in Rundeck versions 3.4.3 and 3.3.14. Rundeck es un servicio de automatización de código abierto con una consola web, herramientas de línea de comandos y una WebAPI. Versiones anteriores a 3.3.14 y versión 3.4.3, un usuario con acceso "admin" al tipo de recurso "system" es potencialmente vulnerable a un ataque de tipo CSRF que podría causar que el servidor ejecute código no confiable en todas las ediciones de Rundeck. • https://github.com/rundeck/rundeck/commit/67c4eedeaf9509fc0b255aff15977a5229ef13b9 https://github.com/rundeck/rundeck/security/advisories/GHSA-3jmw-c69h-426c • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-39132 – YAML deserialization can run untrusted code
https://notcve.org/view.php?id=CVE-2021-39132
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, an authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition. The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:`admin` level access to the `system` resource type. The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions: `create` `update` or `admin` level access to a `project_acl` resource, and/or`create` `update` or `admin` level access to the `system_acl` resource. • https://github.com/rundeck/rundeck/commit/850d12e21d22833bc148b7f458d7cb5949f829b6 https://github.com/rundeck/rundeck/security/advisories/GHSA-q4rf-3fhx-88pf • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-11009 – IDOR can reveal execution data and logs to unauthorized user in Rundeck
https://notcve.org/view.php?id=CVE-2020-11009
In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this is not really much of an issue. If access is wider and allows login for users that do not have access to any projects, or project access is restricted, there is a larger issue. If access is meant to be restricted and secrets, sensitive data, or intellectual property are exposed in Rundeck execution output and job data, the risk becomes much higher. • https://docs.rundeck.com/docs/history/3_2_x/version-3.2.6.html https://github.com/rundeck/rundeck/security/advisories/GHSA-5679-7qrc-5m7j • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2144
https://notcve.org/view.php?id=CVE-2020-2144
Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Jenkins Rundeck Plugin versiones 3.6.6 y anteriores, no configura su analizador XML para impedir ataques de tipo XML external entity (XXE). • http://www.openwall.com/lists/oss-security/2020/03/09/1 https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1702 • CWE-611: Improper Restriction of XML External Entity Reference •