Vulnerability	Vulnerable Version
H Information Exposure org.rundeck:rundeck is an enable Self-Service Operations package which gives specific users access to your existing tools, services, and scripts. Affected versions of this package are vulnerable to Information Exposure. The `Key Storage converter` plugin mechanism was not enabled correctly, resulting in the use of the encryption layer for Key Storage possibly not working. Exploiting this vulnerability leads to any credentials created or overwritten being written in plaintext to the backend storage. Note: This vulnerability affects those using any `Storage Converter` plugin. How to fix Information Exposure? Upgrade `org.rundeck:rundeck` to version 4.2.2-20220615, 4.3.1-20220615 or higher.	[,4.2.2-20220615)[4.3.0-20220602,4.3.1-20220615)
H Cross-site Request Forgery (CSRF) org.rundeck:rundeck is an enable Self-Service Operations package which gives specific users access to your existing tools, services, and scripts. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). A user with `admin` access to the `system` resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code, due to missing CSRF protection to the upload/install plugin endpoints. How to fix Cross-site Request Forgery (CSRF)? Upgrade `org.rundeck:rundeck` to version 3.3.14, 3.4.3 or higher.	[0,3.3.14)[3.4.0,3.4.3)

Information Exposure

org.rundeck:rundeck is an enable Self-Service Operations package which gives specific users access to your existing tools, services, and scripts.

Affected versions of this package are vulnerable to Information Exposure. The Key Storage converter plugin mechanism was not enabled correctly, resulting in the use of the encryption layer for Key Storage possibly not working. Exploiting this vulnerability leads to any credentials created or overwritten being written in plaintext to the backend storage.

Note: This vulnerability affects those using any Storage Converter plugin.

How to fix Information Exposure?

Upgrade org.rundeck:rundeck to version 4.2.2-20220615, 4.3.1-20220615 or higher.

[,4.2.2-20220615)[4.3.0-20220602,4.3.1-20220615)

Cross-site Request Forgery (CSRF)

org.rundeck:rundeck is an enable Self-Service Operations package which gives specific users access to your existing tools, services, and scripts.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). A user with admin access to the system resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code, due to missing CSRF protection to the upload/install plugin endpoints.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade org.rundeck:rundeck to version 3.3.14, 3.4.3 or higher.

[0,3.3.14)[3.4.0,3.4.3)

Go back to all versions of this package