CVE-2021-41111

Опубликовано: 28 фев. 2022

Источник: nvd

CVSS3: 6.4

CVSS3: 5.4

CVSS2: 5.5

EPSS Низкий

Описание

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. There are patches for this vulnerability in versions 3.4.5 and 3.3.15. There are currently no known workarounds.

Ссылки

https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5
Patch
Third Party Advisory
https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j
Third Party Advisory
https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5
Patch
Third Party Advisory
https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:pagerduty:rundeck:*:*:*:*:-:*:*:*

Версия до 3.3.15 (исключая)

cpe:2.3:a:pagerduty:rundeck:*:*:*:*:-:*:*:*

Версия от 3.4.0 (включая) до 3.4.5 (исключая)

EPSS

Процентиль: 41%

0.00188

Низкий

6.4 Medium

CVSS3

5.4 Medium

CVSS3

5.5 Medium

CVSS2

Дефекты

CWE-639

EPSS

Процентиль: 41%

0.00188

Низкий

6.4 Medium

CVSS3

5.4 Medium

CVSS3

5.5 Medium

CVSS2

Дефекты

CWE-639