CVE-2023-47112

Authenticated users can view job names and groups they do not have authorization to view in Rundeck

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which provides a list of job names and groups for any project, without the necessary authorization checks. The output of these endpoints only exposes the name of job groups and the jobs contained within the specified project. The output is read-only and the access does not allow changes to the information. This vulnerability has been patched in version 4.17.3. Users are advised to upgrade. Users unable to upgrade may block access to the two URLs used in either Rundeck Open Source or Process Automation products at a load balancer level.

Rundeck es un servicio de automatización de código abierto con una consola web, herramientas de línea de comandos y una WebAPI. En las versiones afectadas, el acceso a dos URL utilizadas en los productos Rundeck Open Source y Process Automation podría permitir a los usuarios autenticados acceder a la ruta URL, que proporciona una lista de nombres de trabajos y grupos para cualquier proyecto, sin las comprobaciones de autorización necesarias. La salida de estos endpoints solo expone el nombre de los grupos de trabajos y los trabajos contenidos dentro del proyecto especificado. La salida es de sólo lectura y el acceso no permite cambios en la información. Esta vulnerabilidad ha sido parcheada en la versión 4.17.3. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden bloquear el acceso a las dos URL utilizadas en los productos Rundeck Open Source o Process Automation a nivel de balanceador de carga.

*Credits: N/A

CVSS Scores

NISTv3.1 4.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-10-30 CVE Reserved
2023-11-16 CVE Published
2023-11-25 EPSS Updated
2024-08-29 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-862: Missing Authorization

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/rundeck/rundeck/security/advisories/GHSA-xvmv-4rx6-x6jx	2023-11-25

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Pagerduty Search vendor "Pagerduty"		Rundeck Search vendor "Pagerduty" for product "Rundeck"				>= 4.17.0 < 4.17.3 Search vendor "Pagerduty" for product "Rundeck" and version " >= 4.17.0 < 4.17.3"		-		Affected