Описание
Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server
Impact
A user with admin access to the system resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all Rundeck editions.
Patches
Available in Rundeck 3.4.3 and 3.3.14
Workarounds
Please visit https://rundeck.com/security for information about specific workarounds.
For more information
If you have any questions or comments about this advisory:
- Email us at security@rundeck.com
To report security issues to Rundeck please use the form at https://rundeck.com/security
Пакеты
org.rundeck:rundeck-core
>= 3.4.0, < 3.4.3
3.4.3
org.rundeck:rundeck-core
< 3.3.14
3.3.14
Связанные уязвимости
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, a user with `admin` access to the `system` resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all Rundeck editions. Patches are available in Rundeck versions 3.4.3 and 3.3.14.