CVE-2021-41111

Authorization Bypass Through User-Controlled Key in Rundeck

CVSS 6.4 MEDIUMEPSS 0.5%CWE-639

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 6.4EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

28 feb 2022Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. There are patches for this vulnerability in versions 3.4.5 and 3.3.15. There are currently no known workarounds.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Productos afectados

rundeck · rundeck

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5 https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j