Skip to main content

Rundeck CVE-2022-31044

HIGH
Plaintext Storage of a Password (CWE-256)
2022-06-15 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 15, 2022 - 19:15 nvd
HIGH 7.5

DescriptionNVD

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. The Key Storage converter plugin mechanism was not enabled correctly in Rundeck 4.2.0 and 4.2.1, resulting in use of the encryption layer for Key Storage possibly not working. Any credentials created or overwritten using Rundeck 4.2.0 or 4.2.1 might result in them being written in plaintext to the backend storage. This affects those using any Storage Converter plugin. Rundeck 4.3.1 and 4.2.2 have fixed the code and upon upgrade will re-encrypt any plain text values. Version 4.3.0 does not have the vulnerability, but does not include the patch to re-encrypt plain text values if 4.2.0 or 4.2.1 were used. To prevent plaintext credentials from being stored in Rundeck 4.2.0/4.2.1, write access to key storage can be disabled via ACLs. After upgrading to 4.3.1 or later, write access can be restored.

AnalysisAI

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-256. Rundeck is an open source automation service with a web console, command line tools and a WebAPI. The Key Storage converter plugin mechanism was not enabled correctly in Rundeck 4.2.0 and 4.2.1, resulting in use of the encryption layer for Key Storage possibly not working. Any credentials created or overwritten using Rundeck 4.2.0 or 4.2.1 might result in them being written in plaintext to the backend storage. This affects those using any Storage Converter plugin. Rundeck 4.3.1 and 4.2.2 have fixed the code and upon upgrade will re-encrypt any plain text values. Version 4.3.0 does not have the vulnerability, but does not include the patch to re-encrypt plain text values if 4.2.0 or 4.2.1 were used. To prevent plaintext credentials from being stored in Rundeck 4.2.0/4.2.1, write access to key storage can be disabled via ACLs. After upgrading to 4.3.1 or later, write access can be restored. Affected products include: Pagerduty Rundeck. Version information: Version 4.3.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2019-6804 MEDIUM POC
6.1 Jan 25

An XSS issue was discovered on the Job Edit page in Rundeck Community Edition before 3.0.13, related to assets/javascrip

CVE-2022-29186 CRITICAL
9.8 May 20

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated critical severit

CVE-2022-41234 HIGH
8.8 Sep 21

Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing use

CVE-2021-39132 HIGH
8.8 Aug 30

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated high severity (C

CVE-2020-2144 HIGH
7.1 Mar 09

Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-39133 MEDIUM
6.8 Aug 30

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated medium severity

CVE-2020-11009 MEDIUM
6.5 Apr 29

In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job de

CVE-2019-16556 MEDIUM
6.5 Dec 17

Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job conf

CVE-2023-48222 MEDIUM
5.4 Nov 16

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated medium severity

CVE-2022-30956 MEDIUM
5.4 May 17

Jenkins Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions, resulting in a s

CVE-2023-47112 MEDIUM
4.3 Nov 16

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated medium severity

CVE-2022-41233 MEDIUM
4.3 Sep 21

Jenkins Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints, a

Share

CVE-2022-31044 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy