Information Exposure Affecting org.rundeck:rundeck package, versions [,3.2.6)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Information Exposure vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JAVA-ORGRUNDECK-567887
- published30 Apr 2020
- disclosed30 Apr 2020
- creditJustine Osborne
Introduced: 30 Apr 2020
CVE-2020-11009 (opens in a new tab)How to fix?
Upgrade org.rundeck:rundeck to version 3.2.6 or higher.
Overview
org.rundeck:rundeck is an enable Self-Service Operations package which gives specific users access to your existing tools, services, and scripts.
Affected versions of this package are vulnerable to Information Exposure. Authenticated users can craft a request that reveals execution data and logs and job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk.
An authenticated user could craft a request to:
- View Executions and download execution logs without access to
readorviewthe associated Job, or ad-hoc resource. - Get the list of running executions in a project, without Event
readaccess, if they havereadaccess to view the project. - View the Options definitions of a Job without access to view the Job.
- View the definition of a workflow step of a Job without access to view the Job.
- View the SCM diff of a modified Job definition if SCM is enabled, without Project
exportaccess level. - View the New User Profile Form for a different username, without User
adminaccess. Note: they would not be allowed to create or modify a profile for a different user, or reveal any user profile information for a different user.