CVE Vulnerability

CVE-2021-41111

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. There are patches for this vulnerability in versions 3.4.5 and 3.3.15. There are currently no known workarounds.

5.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

5.4 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j Third Party Advisory
https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:pagerduty:rundeck:*:*:*:*:-:*:*:*
cpe:2.3:a:pagerduty:rundeck:*:*:*:*:-:*:*:*
Information

Published : 2022-02-28 08:15

Updated : 2022-03-10 04:51

NVD link : CVE-2021-41111

Mitre link : CVE-2021-41111

Products Affected
No products.
CWE
CWE-639