PT-2022-11364 · Rundeck · Rundeck

Fdevans

Published

2022-02-28

Updated

2022-03-10

CVE-2021-41111

CVSS v3.1

6.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Rundeck versions prior to 3.4.5 Rundeck versions prior to 3.3.15

Description Rundeck is an open source automation service with a web console, command line tools and a WebAPI. An authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions.

Recommendations For versions prior to 3.4.5, update to version 3.4.5 to resolve the issue. For versions prior to 3.3.15, update to version 3.3.15 to resolve the issue.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2021-41111

GHSA-MFQJ-F22M-GV8J

Affected Products

Rundeck

PT-2022-11364 · Rundeck · Rundeck

CVE-2021-41111

Weakness Enumeration

Related Identifiers

Affected Products

References · 5