Paul Calabro

**Name of the Vulnerable Software and Affected Versions** Rundeck versions 4.0 and earlier **Description** Rundeck is an open source automation service with a web console, command line tools and a WebAPI. The Rundeck community and rundeck-enterprise docker images contained a pre-generated SSH keypair. If the `id rsa.pub` public key of the keypair was copied to `authorized keys` files on remote hosts, those hosts would allow access to anyone with the exposed private credentials. This misconfiguration only impacts Rundeck Docker instances, not Debian, RPM or .WAR. A patch on Rundeck's `main` branch has removed the pre-generated SSH key pair, but it does not remove exposed keys that have been configured. **Recommendations** To patch, users must run a script on hosts in their environment to search for exposed keys and rotate them. Do not use any pre-existing public key file from the Rundeck docker images to allow SSH access by adding it to `authorized keys` files. If you have copied the public key file included in the docker image, remove it from any `authorized keys` files.