Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-41111

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. There are patches for this vulnerability in versions 3.4.5 and 3.3.15. There are currently no known workarounds.

Published

2022-02-28T20:15:08.160

Last Modified

2024-11-21T06:25:29.390

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.4 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

4.9

Weaknesses

Type: Primary
CWE-639

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	pagerduty	rundeck	< 3.3.15	Yes
Application	pagerduty	rundeck	< 3.4.5	Yes

References

https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5 Patch, Third Party Advisory ([email protected])
https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j Third Party Advisory ([email protected])
https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)