CVE-2021-41111 – Authorization Bypass Through User-Controlled Key in Rundeck
https://notcve.org/view.php?id=CVE-2021-41111
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. There are patches for this vulnerability in versions 3.4.5 and 3.3.15. • https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5 https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2021-39133 – Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server
https://notcve.org/view.php?id=CVE-2021-39133
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, a user with `admin` access to the `system` resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all Rundeck editions. Patches are available in Rundeck versions 3.4.3 and 3.3.14. Rundeck es un servicio de automatización de código abierto con una consola web, herramientas de línea de comandos y una WebAPI. Versiones anteriores a 3.3.14 y versión 3.4.3, un usuario con acceso "admin" al tipo de recurso "system" es potencialmente vulnerable a un ataque de tipo CSRF que podría causar que el servidor ejecute código no confiable en todas las ediciones de Rundeck. • https://github.com/rundeck/rundeck/commit/67c4eedeaf9509fc0b255aff15977a5229ef13b9 https://github.com/rundeck/rundeck/security/advisories/GHSA-3jmw-c69h-426c • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2021-39132 – YAML deserialization can run untrusted code
https://notcve.org/view.php?id=CVE-2021-39132
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, an authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition. The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:`admin` level access to the `system` resource type. The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions: `create` `update` or `admin` level access to a `project_acl` resource, and/or`create` `update` or `admin` level access to the `system_acl` resource. • https://github.com/rundeck/rundeck/commit/850d12e21d22833bc148b7f458d7cb5949f829b6 https://github.com/rundeck/rundeck/security/advisories/GHSA-q4rf-3fhx-88pf • CWE-502: Deserialization of Untrusted Data •
CVE-2020-11009 – IDOR can reveal execution data and logs to unauthorized user in Rundeck
https://notcve.org/view.php?id=CVE-2020-11009
In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this is not really much of an issue. If access is wider and allows login for users that do not have access to any projects, or project access is restricted, there is a larger issue. If access is meant to be restricted and secrets, sensitive data, or intellectual property are exposed in Rundeck execution output and job data, the risk becomes much higher. • https://docs.rundeck.com/docs/history/3_2_x/version-3.2.6.html https://github.com/rundeck/rundeck/security/advisories/GHSA-5679-7qrc-5m7j • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2019-3800 – CF CLI writes the client id and secret to config file
https://notcve.org/view.php?id=CVE-2019-3800
CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials. La CLI de CF anterior a versión v6.45.0 (versión de lanzamiento bosh 1.16.0), escribe el id y el secreto del cliente hacia su archivo de configuración cuando el usuario se autentica con el flag --client-credentials. Un usuario malicioso autenticado local con acceso al archivo de configuración de la CLI de CF puede actuar como ese cliente, quien es el propietario de las credenciales filtradas. • https://pivotal.io/security/cve-2019-3800 https://www.cloudfoundry.org/blog/cve-2019-3800 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •