Lucene search

GitHub_MCVELIST:CVE-2021-41112

HistoryFeb 28, 2022 - 7:15 p.m.

CVE-2021-41112 Missing Authorization in Rundeck

2022-02-2819:15:17

CWE-862

GitHub_M

www.cve.org

rundeck open source automation

missing authorization

calendars

scheduled jobs

patch

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS

0.001

Percentile

35.0%

JSON

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In versions prior to 3.4.5, authenticated users could craft a request to modify or delete System or Project level Calendars, without appropriate authorization. Modifying or removing calendars could cause Scheduled Jobs to execute, or not execute on desired calendar days. Severity depends on trust level of authenticated users and impact of running or not running scheduled jobs on days governed by calendar definitions. Version 3.4.5 contains a patch for this issue. There are currently no known workarounds.

CNA Affected

[
  {
    "product": "rundeck",
    "vendor": "rundeck",
    "versions": [
      {
        "status": "affected",
        "version": "< 3.4.5"
      }
    ]
  }
]

References

github.com/rundeck/rundeck/security/advisories/GHSA-f68p-c9wh-j2q8

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS

0.001

Percentile

35.0%

JSON

Related for CVELIST:CVE-2021-41112