CVE-2021-41112

EPSS 0.21%
Published 28.02.2022 20:15:08
Last modified 21.11.2024 06:25:29
Source security-advisories@github.com
Teams watchlist Login
Open Login

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In versions prior to 3.4.5, authenticated users could craft a request to modify or delete System or Project level Calendars, without appropriate authorization. Modifying or removing calendars could cause Scheduled Jobs to execute, or not execute on desired calendar days. Severity depends on trust level of authenticated users and impact of running or not running scheduled jobs on days governed by calendar definitions. Version 3.4.5 contains a patch for this issue. There are currently no known workarounds.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Pagerduty ≫ Rundeck SwEdition- Version < 3.4.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.21%	0.439

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
nvd@nist.gov	5.5	8	4.9	AV:N/AC:L/Au:S/C:N/I:P/A:P
security-advisories@github.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/rundeck/rundeck/security/advisories/GHSA-f68p-c9wh-j2q8

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-41112

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-41112

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-41112

EUVD