CVE-2021-39133 Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server

2021-08-3019:50:10

CWE-352

GitHub_M

www.cve.org

cve-2021-39133

cross-site request forgery

rundeck

vulnerability

csrf attack

untrusted code

patch

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

37.0%

JSON

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, a user with admin access to the system resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all Rundeck editions. Patches are available in Rundeck versions 3.4.3 and 3.3.14.

CNA Affected

[
  {
    "product": "rundeck",
    "vendor": "rundeck",
    "versions": [
      {
        "status": "affected",
        "version": "< 3.3.14"
      },
      {
        "status": "affected",
        "version": ">= 3.4.0, < 3.4.3"
      }
    ]
  }
]