PT-2021-22395 · Rundeck · Rundeck

Fdevans

Published

2021-08-30

Updated

2021-09-08

CVE-2021-39133

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Rundeck versions prior to 3.3.14 Rundeck versions prior to 3.4.3

Description Rundeck is an open source automation service with a web console, command line tools and a WebAPI. A user with admin access to the system resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all Rundeck editions.

Recommendations For versions prior to 3.3.14, update to version 3.3.14 or later. For versions prior to 3.4.3, update to version 3.4.3 or later. As a temporary workaround, consider restricting access to the system resource type for users with admin access until a patch is applied.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2021-39133

GHSA-3JMW-C69H-426C

Affected Products

Rundeck

PT-2021-22395 · Rundeck · Rundeck

CVE-2021-39133

Weakness Enumeration

Related Identifiers

Affected Products

References · 8