CVE-2021-41111

Published: Feb 28, 2022Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: NVD

Description

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. There are patches for this vulnerability in versions 3.4.5 and 3.3.15. There are currently no known workarounds.

Affected (2)

Products: Pagerduty: Rundeck

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Pagerduty Rundeck	Before 3.3.15
Pagerduty Rundeck	From 3.4.0 to 3.4.5

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j

Source: security-advisories@github.com

Third Party Advisory

https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.