Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE0cmYtM2ZoeC04OHBm
YAML deserialization can run untrusted code
Impact
An authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition.
The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:
adminlevel access to thesystemresource type
The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions:
createupdateoradminlevel access to aproject_aclresourcecreateupdateoradminlevel access to thesystem_aclresource
The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only.
Patches
Versions 3.4.3, 3.3.14
Workarounds
Please visit https://rundeck.com/security for information about specific workarounds.
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
To report security issues to Rundeck please use the form at https://rundeck.com/security
Reporter: Rojan Rijal from Tinder Red Team
Permalink: https://github.com/advisories/GHSA-q4rf-3fhx-88pfJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE0cmYtM2ZoeC04OHBm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-q4rf-3fhx-88pf, CVE-2021-39132
References:
- https://github.com/rundeck/rundeck/security/advisories/GHSA-q4rf-3fhx-88pf
- https://nvd.nist.gov/vuln/detail/CVE-2021-39132
- https://github.com/rundeck/rundeck/commit/850d12e21d22833bc148b7f458d7cb5949f829b6
- https://github.com/advisories/GHSA-q4rf-3fhx-88pf
Blast Radius: 14.1
Affected Packages
maven:org.rundeck:rundeck-core
Dependent packages: 6Dependent repositories: 40
Downloads:
Affected Version Ranges: < 3.3.14, >= 3.4.0, < 3.4.3
Fixed in: 3.3.14, 3.4.3
All affected versions: 1.4.4, 1.4.5, 1.5.1, 1.5.2, 1.5.3, 1.6.0, 1.6.1, 1.6.2, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.10.6, 2.10.7, 2.10.8, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.7, 2.11.8, 2.11.9, 2.11.10, 2.11.11, 2.11.12, 2.11.13, 2.11.14
All unaffected versions: