Lucene search

GitHub_MCVELIST:CVE-2021-41112

HistoryFeb 28, 2022 - 7:15 p.m.

CVE-2021-41112 Missing Authorization in Rundeck

2022-02-2819:15:17

CWE-862

GitHub_M

www.cve.org

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

0.001 Low

EPSS

Percentile

35.0%

JSON

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In versions prior to 3.4.5, authenticated users could craft a request to modify or delete System or Project level Calendars, without appropriate authorization. Modifying or removing calendars could cause Scheduled Jobs to execute, or not execute on desired calendar days. Severity depends on trust level of authenticated users and impact of running or not running scheduled jobs on days governed by calendar definitions. Version 3.4.5 contains a patch for this issue. There are currently no known workarounds.

CNA Affected

[
  {
    "product": "rundeck",
    "vendor": "rundeck",
    "versions": [
      {
        "status": "affected",
        "version": "< 3.4.5"
      }
    ]
  }
]

References

github.com/rundeck/rundeck/security/advisories/GHSA-f68p-c9wh-j2q8

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

0.001 Low

EPSS

Percentile

35.0%

JSON

Related for CVELIST:CVE-2021-41112