org.rundeck:rundeck-core@3.4.1-20210715 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.rundeck:rundeck-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Deserialization of Untrusted Data

org.rundeck:rundeck-core is an enable Self-Service operations.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file. This can cause the server to run untrusted code. (On Rundeck Enterprise Edition an authenticated user can make a POST request that can cause the server to act similarly.)

The zip-format plugin issue requires admin level access to the system resource type. The ACL Policy yaml file upload issues require create, update, or admin level access to a project_acl resource or to the system_acl resource.

How to fix Deserialization of Untrusted Data?

Upgrade org.rundeck:rundeck-core to version 3.3.14, 3.4.3 or higher.

[0,3.3.14) [3.4.0,3.4.3)