CVE-2022-31044

Name of the Vulnerable Software and Affected Versions Rundeck versions 4.2.0 through 4.2.1

Description The Key Storage converter plugin mechanism was not enabled correctly, resulting in the use of the encryption layer for Key Storage possibly not working. Any credentials created or overwritten using the affected versions might result in them being written in plaintext to the backend storage. This affects those using any Storage Converter plugin.

Recommendations For Rundeck versions 4.2.0 and 4.2.1, to prevent plaintext credentials from being stored, write access to key storage can be disabled via ACLs. After upgrading to Rundeck 4.3.1 or later, write access can be restored. Upgrade to Rundeck 4.3.2, 4.2.3, or 4.4.0 and later releases, which have fixed the code and will re-encrypt any plain text values upon upgrade.