CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47112 – Authenticated users can view job names and groups they do not have authorization to view in Rundeck
https://notcve.org/view.php?id=CVE-2023-47112
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which provides a list of job names and groups for any project, without the necessary authorization checks. The output of these endpoints only exposes the name of job groups and the jobs contained within the specified project. The output is read-only and the access does not allow changes to the information. This vulnerability has been patched in version 4.17.3. • https://github.com/rundeck/rundeck/security/advisories/GHSA-xvmv-4rx6-x6jx • CWE-862: Missing Authorization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48222 – Authenticated users can view or delete jobs they do not have authorization for in Rundeck
https://notcve.org/view.php?id=CVE-2023-48222
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks. This issue has been addressed in version 4.17.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666 • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-31044 – Plaintext Storage of Keys and Passwords in Rundeck and PagerDuty Process Automation
https://notcve.org/view.php?id=CVE-2022-31044
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. The Key Storage converter plugin mechanism was not enabled correctly in Rundeck 4.2.0 and 4.2.1, resulting in use of the encryption layer for Key Storage possibly not working. Any credentials created or overwritten using Rundeck 4.2.0 or 4.2.1 might result in them being written in plaintext to the backend storage. This affects those using any `Storage Converter` plugin. Rundeck 4.3.1 and 4.2.2 have fixed the code and upon upgrade will re-encrypt any plain text values. • https://github.com/rundeck/rundeck/security/advisories/GHSA-hprf-rrwq-jm5c • CWE-256: Plaintext Storage of a Password CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-29186 – Use of Hard-coded Cryptographic Key in rundeck/rundeck, rundeckpro/enterprise
https://notcve.org/view.php?id=CVE-2022-29186
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rundeck community and rundeck-enterprise docker images contained a pre-generated SSH keypair. If the id_rsa.pub public key of the keypair was copied to authorized_keys files on remote host, those hosts would allow access to anyone with the exposed private credentials. This misconfiguration only impacts Rundeck Docker instances of PagerDuty® Process Automation On Prem (formerly Rundeck) version 4.0 and earlier, not Debian, RPM or .WAR. Additionally, the id_rsa.pub file would have to be copied from the Docker image filesystem contents without overwriting it and used to configure SSH access on a host. • https://github.com/rundeck/rundeck/commit/16ef7a70b202492f9fbb54d8af4bb8ea0afa10ad https://github.com/rundeck/rundeck/security/advisories/GHSA-qxjx-xr2m-hgqx • CWE-321: Use of Hard-coded Cryptographic Key CWE-798: Use of Hard-coded Credentials •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41112 – Missing Authorization in Rundeck
https://notcve.org/view.php?id=CVE-2021-41112
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In versions prior to 3.4.5, authenticated users could craft a request to modify or delete System or Project level Calendars, without appropriate authorization. Modifying or removing calendars could cause Scheduled Jobs to execute, or not execute on desired calendar days. Severity depends on trust level of authenticated users and impact of running or not running scheduled jobs on days governed by calendar definitions. Version 3.4.5 contains a patch for this issue. • https://github.com/rundeck/rundeck/security/advisories/GHSA-f68p-c9wh-j2q8 • CWE-862: Missing Authorization •