Skip to main content

Rundeck CVE-2021-39132

HIGH
Deserialization of Untrusted Data (CWE-502)
2021-08-30 security-advisories@github.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 30, 2021 - 20:15 nvd
HIGH 8.8

DescriptionNVD

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, an authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition. The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:admin level access to the system resource type. The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions: create update or admin level access to a project_acl resource, and/orcreate update or admin level access to the system_acl resource. The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only. Patches are available in versions 3.4.3, 3.3.14

AnalysisAI

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Technical ContextAI

This vulnerability is classified as Deserialization of Untrusted Data (CWE-502), which allows attackers to execute arbitrary code through malicious serialized objects. Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, an authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition. The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:admin level access to the system resource type. The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions: create update or admin level access to a project_acl resource, and/orcreate update or admin level access to the system_acl resource. The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only. Patches are available in versions 3.4.3, 3.3.14 Affected products include: Pagerduty Rundeck. Version information: version 3.3.14.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Avoid deserializing untrusted data. Use safe serialization formats (JSON). Implement integrity checks and type allowlists.

CVE-2019-6804 MEDIUM POC
6.1 Jan 25

An XSS issue was discovered on the Job Edit page in Rundeck Community Edition before 3.0.13, related to assets/javascrip

CVE-2022-29186 CRITICAL
9.8 May 20

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated critical severit

CVE-2022-41234 HIGH
8.8 Sep 21

Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing use

CVE-2022-31044 HIGH
7.5 Jun 15

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated high severity (C

CVE-2020-2144 HIGH
7.1 Mar 09

Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-39133 MEDIUM
6.8 Aug 30

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated medium severity

CVE-2020-11009 MEDIUM
6.5 Apr 29

In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job de

CVE-2019-16556 MEDIUM
6.5 Dec 17

Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job conf

CVE-2023-48222 MEDIUM
5.4 Nov 16

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated medium severity

CVE-2022-30956 MEDIUM
5.4 May 17

Jenkins Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions, resulting in a s

CVE-2023-47112 MEDIUM
4.3 Nov 16

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated medium severity

CVE-2022-41233 MEDIUM
4.3 Sep 21

Jenkins Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints, a

Share

CVE-2021-39132 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy