Vulnerability	Vulnerable Version
H Deserialization of Untrusted Data org.rundeck:rundeck-core is an enable Self-Service operations. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An authorized user can upload a zip-format plugin with a crafted `plugin.yaml`, or a crafted `aclpolicy` yaml file, or upload an untrusted project archive with a crafted `aclpolicy` yaml file. This can cause the server to run untrusted code. (On Rundeck Enterprise Edition an authenticated user can make a POST request that can cause the server to act similarly.) The zip-format plugin issue requires `admin` level access to the `system` resource type. The ACL Policy yaml file upload issues require `create`, `update`, or `admin` level access to a `project_acl` resource or to the `system_acl` resource. How to fix Deserialization of Untrusted Data? Upgrade `org.rundeck:rundeck-core` to version 3.3.14, 3.4.3 or higher.	[0,3.3.14)[3.4.0,3.4.3)

Deserialization of Untrusted Data

org.rundeck:rundeck-core is an enable Self-Service operations.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file. This can cause the server to run untrusted code. (On Rundeck Enterprise Edition an authenticated user can make a POST request that can cause the server to act similarly.)

The zip-format plugin issue requires admin level access to the system resource type. The ACL Policy yaml file upload issues require create, update, or admin level access to a project_acl resource or to the system_acl resource.

How to fix Deserialization of Untrusted Data?

Upgrade org.rundeck:rundeck-core to version 3.3.14, 3.4.3 or higher.

[0,3.3.14)[3.4.0,3.4.3)

Go back to all versions of this package