org.rundeck:rundeck 3.2.3-20200221 vulnerabilities

Known vulnerabilities in the org.rundeck:rundeck package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Information Exposure org.rundeck:rundeck is an enable Self-Service Operations package which gives specific users access to your existing tools, services, and scripts. Affected versions of this package are vulnerable to Information Exposure. The `Key Storage converter` plugin mechanism was not enabled correctly, resulting in the use of the encryption layer for Key Storage possibly not working. Exploiting this vulnerability leads to any credentials created or overwritten being written in plaintext to the backend storage. Note: This vulnerability affects those using any `Storage Converter` plugin. How to fix Information Exposure? Upgrade `org.rundeck:rundeck` to version 4.2.2-20220615, 4.3.1-20220615 or higher.	[,4.2.2-20220615)[4.3.0-20220602,4.3.1-20220615)
H Cross-site Request Forgery (CSRF) org.rundeck:rundeck is an enable Self-Service Operations package which gives specific users access to your existing tools, services, and scripts. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). A user with `admin` access to the `system` resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code, due to missing CSRF protection to the upload/install plugin endpoints. How to fix Cross-site Request Forgery (CSRF)? Upgrade `org.rundeck:rundeck` to version 3.3.14, 3.4.3 or higher.	[0,3.3.14)[3.4.0,3.4.3)
M Information Exposure org.rundeck:rundeck is an enable Self-Service Operations package which gives specific users access to your existing tools, services, and scripts. Affected versions of this package are vulnerable to Information Exposure. Authenticated users can craft a request that reveals execution data and logs and job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. An authenticated user could craft a request to: View Executions and download execution logs without access to `read` or `view` the associated Job, or ad-hoc resource. Get the list of running executions in a project, without Event `read` access, if they have `read` access to view the project. View the Options definitions of a Job without access to view the Job. View the definition of a workflow step of a Job without access to view the Job. View the SCM diff of a modified Job definition if SCM is enabled, without Project `export` access level. View the New User Profile Form for a different username, without User `admin` access. Note: they would not be allowed to create or modify a profile for a different user, or reveal any user profile information for a different user. How to fix Information Exposure? Upgrade `org.rundeck:rundeck` to version 3.2.6 or higher.	[,3.2.6)

Vulnerability

Vulnerable Version

Information Exposure

org.rundeck:rundeck is an enable Self-Service Operations package which gives specific users access to your existing tools, services, and scripts.

Affected versions of this package are vulnerable to Information Exposure. The Key Storage converter plugin mechanism was not enabled correctly, resulting in the use of the encryption layer for Key Storage possibly not working. Exploiting this vulnerability leads to any credentials created or overwritten being written in plaintext to the backend storage.

Note: This vulnerability affects those using any Storage Converter plugin.

How to fix Information Exposure?

Upgrade org.rundeck:rundeck to version 4.2.2-20220615, 4.3.1-20220615 or higher.

[,4.2.2-20220615)[4.3.0-20220602,4.3.1-20220615)

Cross-site Request Forgery (CSRF)

org.rundeck:rundeck is an enable Self-Service Operations package which gives specific users access to your existing tools, services, and scripts.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). A user with admin access to the system resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code, due to missing CSRF protection to the upload/install plugin endpoints.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade org.rundeck:rundeck to version 3.3.14, 3.4.3 or higher.

[0,3.3.14)[3.4.0,3.4.3)

Information Exposure

org.rundeck:rundeck is an enable Self-Service Operations package which gives specific users access to your existing tools, services, and scripts.

Affected versions of this package are vulnerable to Information Exposure. Authenticated users can craft a request that reveals execution data and logs and job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk.

An authenticated user could craft a request to:

View Executions and download execution logs without access to read or view the associated Job, or ad-hoc resource.
Get the list of running executions in a project, without Event read access, if they have read access to view the project.
View the Options definitions of a Job without access to view the Job.
View the definition of a workflow step of a Job without access to view the Job.
View the SCM diff of a modified Job definition if SCM is enabled, without Project export access level.
View the New User Profile Form for a different username, without User admin access. Note: they would not be allowed to create or modify a profile for a different user, or reveal any user profile information for a different user.

How to fix Information Exposure?

Upgrade org.rundeck:rundeck to version 3.2.6 or higher.

[,3.2.6)

org.rundeck:rundeck@3.2.3-20200221 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?