Fdevans

**Name of the Vulnerable Software and Affected Versions** Rundeck versions prior to 4.17.3 **Description** The issue allows authenticated users to access certain URL paths without necessary authorization checks, providing a list of job names and groups for any project. The affected URLs are "http[s]://[host]/context/rdJob/*" and "http[s]://[host]/context/api/*/incubator/jobs". The output of these endpoints only exposes the name of job groups and the jobs contained within the specified project, and the access does not allow changes to the information. **Recommendations** For versions prior to 4.17.3, upgrade to version 4.17.3 to resolve the issue. As a temporary workaround, consider blocking access to the URLs "http[s]://[host]/context/rdJob/*" and "http[s]://[host]/context/api/*/incubator/jobs" at a load balancer level.

**Name of the Vulnerable Software and Affected Versions** Rundeck versions prior to 3.4.5 Rundeck versions prior to 3.3.15 **Description** Rundeck is an open source automation service with a web console, command line tools and a WebAPI. An authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. **Recommendations** For versions prior to 3.4.5, update to version 3.4.5 to resolve the issue. For versions prior to 3.3.15, update to version 3.3.15 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Rundeck versions prior to 3.4.5 **Description** Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In versions prior to 3.4.5, authenticated users could craft a request to modify or delete System or Project level Calendars, without appropriate authorization. Modifying or removing calendars could cause Scheduled Jobs to execute, or not execute on desired calendar days. Severity depends on the trust level of authenticated users and the impact of running or not running scheduled jobs on days governed by calendar definitions. **Recommendations** For versions prior to 3.4.5, update to version 3.4.5 to resolve the issue. As a temporary workaround, consider restricting access to the calendar modification functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Rundeck versions prior to 3.3.14 Rundeck versions prior to 3.4.3 **Description** Rundeck is an open source automation service with a web console, command line tools and a WebAPI. A user with `admin` access to the `system` resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all Rundeck editions. **Recommendations** For versions prior to 3.3.14, update to version 3.3.14 or later. For versions prior to 3.4.3, update to version 3.4.3 or later. As a temporary workaround, consider restricting access to the `system` resource type for users with `admin` access until a patch is applied.