CVE-2021-39132

Name of the Vulnerable Software and Affected Versions Rundeck versions prior to 3.3.14 Rundeck versions prior to 3.4.3

Description An authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition. The zip-format plugin issues require authentication and authorization to these access levels, and affect all Rundeck editions: admin level access to the system resource type. The ACL Policy yaml file upload issues require authentication and authorization to these access levels, and affect all Rundeck editions: create, update, or admin level access to a project acl resource, and/or create, update, or admin level access to the system acl resource.

Recommendations To resolve the issue for versions prior to 3.3.14, update to version 3.3.14 or later. To resolve the issue for versions prior to 3.4.3, update to version 3.4.3 or later. As a temporary workaround, consider disabling the upload of zip-format plugins and aclpolicy yaml files until a patch is available. Restrict access to the system resource type and project acl and system acl resources to minimize the risk of exploitation. Avoid making unauthenticated POST requests to the affected API endpoints until the issue is resolved.