Skip to main content

Rundeck CVE-2022-41234

HIGH
Missing Authorization (CWE-862)
2022-09-21 jenkinsci-cert@googlegroups.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 21, 2022 - 16:15 nvd
HIGH 8.8

DescriptionNVD

Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable via Rundeck.

AnalysisAI

Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable via Rundeck. Affected products include: Jenkins Rundeck.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.

CVE-2019-6804 MEDIUM POC
6.1 Jan 25

An XSS issue was discovered on the Job Edit page in Rundeck Community Edition before 3.0.13, related to assets/javascrip

CVE-2022-29186 CRITICAL
9.8 May 20

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated critical severit

CVE-2021-39132 HIGH
8.8 Aug 30

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated high severity (C

CVE-2022-31044 HIGH
7.5 Jun 15

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated high severity (C

CVE-2020-2144 HIGH
7.1 Mar 09

Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-39133 MEDIUM
6.8 Aug 30

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated medium severity

CVE-2020-11009 MEDIUM
6.5 Apr 29

In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job de

CVE-2019-16556 MEDIUM
6.5 Dec 17

Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job conf

CVE-2023-48222 MEDIUM
5.4 Nov 16

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated medium severity

CVE-2022-30956 MEDIUM
5.4 May 17

Jenkins Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions, resulting in a s

CVE-2023-47112 MEDIUM
4.3 Nov 16

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated medium severity

CVE-2022-41233 MEDIUM
4.3 Sep 21

Jenkins Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints, a

Share

CVE-2022-41234 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy