CVE-2021-41111

28.02.2022, 20:15

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. There are patches for this vulnerability in versions 3.4.5 and 3.3.15. There are currently no known workarounds.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GitHub_M	CNA	6.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 51%

Affected Products (NVD)

Vendor	Product	Version
pagerduty	rundeck	𝑥 < 3.3.15
pagerduty	rundeck	3.4.0 ≤ 𝑥 < 3.4.5

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
rundeck	rundeck	𝑥 < 3.3.15	CNA

Common Weakness Enumeration

CWE-639 - Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References

https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5

https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j

https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5

https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j