CVE-2021-39133
Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, a user with `admin` access to the `system` resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all Rundeck editions. Patches are available in Rundeck versions 3.4.3 and 3.3.14.
Rundeck es un servicio de automatización de código abierto con una consola web, herramientas de línea de comandos y una WebAPI. Versiones anteriores a 3.3.14 y versión 3.4.3, un usuario con acceso "admin" al tipo de recurso "system" es potencialmente vulnerable a un ataque de tipo CSRF que podría causar que el servidor ejecute código no confiable en todas las ediciones de Rundeck. Los parches están disponibles en versiones 3.4.3 y 3.3.14 de Rundeck.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-08-16 CVE Reserved
- 2021-08-30 CVE Published
- 2023-03-23 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/rundeck/rundeck/security/advisories/GHSA-3jmw-c69h-426c | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/rundeck/rundeck/commit/67c4eedeaf9509fc0b255aff15977a5229ef13b9 | 2021-09-08 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Pagerduty Search vendor "Pagerduty" | Rundeck Search vendor "Pagerduty" for product "Rundeck" | < 3.3.14 Search vendor "Pagerduty" for product "Rundeck" and version " < 3.3.14" | - |
Affected
| ||||||
Pagerduty Search vendor "Pagerduty" | Rundeck Search vendor "Pagerduty" for product "Rundeck" | >= 3.4.0 < 3.4.3 Search vendor "Pagerduty" for product "Rundeck" and version " >= 3.4.0 < 3.4.3" | - |
Affected
|