Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-41112

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In versions prior to 3.4.5, authenticated users could craft a request to modify or delete System or Project level Calendars, without appropriate authorization. Modifying or removing calendars could cause Scheduled Jobs to execute, or not execute on desired calendar days. Severity depends on trust level of authenticated users and impact of running or not running scheduled jobs on days governed by calendar definitions. Version 3.4.5 contains a patch for this issue. There are currently no known workarounds.

Published

2022-02-28T20:15:08.247

Last Modified

2024-11-21T06:25:29.547

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.1 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

4.9

Weaknesses

Type: Primary
CWE-862

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	pagerduty	rundeck	< 3.4.5	Yes

References

https://github.com/rundeck/rundeck/security/advisories/GHSA-f68p-c9wh-j2q8 Third Party Advisory ([email protected])
https://github.com/rundeck/rundeck/security/advisories/GHSA-f68p-c9wh-j2q8 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)