Skip to main content

Rundeck CVE-2023-47112

MEDIUM
Missing Authorization (CWE-862)
2023-11-16 security-advisories@github.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 16, 2023 - 22:15 nvd
MEDIUM 4.3

DescriptionNVD

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which provides a list of job names and groups for any project, without the necessary authorization checks. The output of these endpoints only exposes the name of job groups and the jobs contained within the specified project. The output is read-only and the access does not allow changes to the information. This vulnerability has been patched in version 4.17.3. Users are advised to upgrade. Users unable to upgrade may block access to the two URLs used in either Rundeck Open Source or Process Automation products at a load balancer level.

AnalysisAI

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which provides a list of job names and groups for any project, without the necessary authorization checks. The output of these endpoints only exposes the name of job groups and the jobs contained within the specified project. The output is read-only and the access does not allow changes to the information. This vulnerability has been patched in version 4.17.3. Users are advised to upgrade. Users unable to upgrade may block access to the two URLs used in either Rundeck Open Source or Process Automation products at a load balancer level. Affected products include: Pagerduty Rundeck. Version information: version 4.17.3..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.

CVE-2019-6804 MEDIUM POC
6.1 Jan 25

An XSS issue was discovered on the Job Edit page in Rundeck Community Edition before 3.0.13, related to assets/javascrip

CVE-2022-29186 CRITICAL
9.8 May 20

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated critical severit

CVE-2022-41234 HIGH
8.8 Sep 21

Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing use

CVE-2021-39132 HIGH
8.8 Aug 30

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated high severity (C

CVE-2022-31044 HIGH
7.5 Jun 15

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated high severity (C

CVE-2020-2144 HIGH
7.1 Mar 09

Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-39133 MEDIUM
6.8 Aug 30

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated medium severity

CVE-2020-11009 MEDIUM
6.5 Apr 29

In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job de

CVE-2019-16556 MEDIUM
6.5 Dec 17

Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job conf

CVE-2023-48222 MEDIUM
5.4 Nov 16

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated medium severity

CVE-2022-30956 MEDIUM
5.4 May 17

Jenkins Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions, resulting in a s

CVE-2022-41233 MEDIUM
4.3 Sep 21

Jenkins Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints, a

Share

CVE-2023-47112 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy