Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNqbXctYzY5aC00MjZj

Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server

Impact

A user with admin access to the system resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all Rundeck editions.

Patches

Available in Rundeck 3.4.3 and 3.3.14

Workarounds

Please visit https://rundeck.com/security for information about specific workarounds.

For more information

If you have any questions or comments about this advisory:

• Email us at [email protected]

To report security issues to Rundeck please use the form at https://rundeck.com/security

Permalink: https://github.com/advisories/GHSA-3jmw-c69h-426c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNqbXctYzY5aC00MjZj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago

CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-3jmw-c69h-426c, CVE-2021-39133
References:

• https://github.com/rundeck/rundeck/security/advisories/GHSA-3jmw-c69h-426c
• https://nvd.nist.gov/vuln/detail/CVE-2021-39133
• https://github.com/rundeck/rundeck/commit/67c4eedeaf9509fc0b255aff15977a5229ef13b9
• https://github.com/advisories/GHSA-3jmw-c69h-426c

Repository: https://github.com/rundeck/rundeck
Blast Radius: 11.5

Affected Packages