CVE-2021-41111

EPSS 0.14%
Published 28.02.2022 20:15:08
Last modified 21.11.2024 06:25:29
Source security-advisories@github.com
Teams watchlist Login
Open Login

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. There are patches for this vulnerability in versions 3.4.5 and 3.3.15. There are currently no known workarounds.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Pagerduty ≫ Rundeck SwEdition- Version < 3.3.15

Pagerduty ≫ Rundeck SwEdition- Version >= 3.4.0 < 3.4.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.14%	0.352

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
nvd@nist.gov	5.5	8	4.9	AV:N/AC:L/Au:S/C:P/I:P/A:N
security-advisories@github.com	6.4	3.1	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5

Patch

Third Party Advisory

https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-41111

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-41111

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-41111

EUVD