CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
14.0%
Access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which provides a list of job names and groups for any project, without the necessary authorization checks.
The affected URLs are:
http[s]://[host]/context/rdJob/*
http[s]://[host]/context/api/*/incubator/jobs
The output of these endpoints only exposes the name of job groups and the jobs contained within the specified project. The output is read-only and the access does not allow changes to the information.
Rundeck, Process Automation version 4.17.0 up to 4.17.2
Patched versions: 4.17.3
Access to two URLs used in either Rundeck Open Source or Process Automation products could be blocked at a load balancer level.
http[s]://host/context/rdJob/*
http[s]://host/context/api/*/incubator/jobs
If you have any questions or comments about this advisory:
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
14.0%