CVE-2022-31044 Plaintext Storage of Keys and Passwords in Rundeck and PagerDuty Process Automation

2022-06-1519:00:22

CWE-256

CWE-522

GitHub_M

www.cve.org

cve-2022-31044

plaintext storage

keys and passwords

rundeck

pagerduty

process automation

encryption layer

storage converter

plugin

vulnerability

upgrade

acls

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

40.3%

JSON

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. The Key Storage converter plugin mechanism was not enabled correctly in Rundeck 4.2.0 and 4.2.1, resulting in use of the encryption layer for Key Storage possibly not working. Any credentials created or overwritten using Rundeck 4.2.0 or 4.2.1 might result in them being written in plaintext to the backend storage. This affects those using any Storage Converter plugin. Rundeck 4.3.1 and 4.2.2 have fixed the code and upon upgrade will re-encrypt any plain text values. Version 4.3.0 does not have the vulnerability, but does not include the patch to re-encrypt plain text values if 4.2.0 or 4.2.1 were used. To prevent plaintext credentials from being stored in Rundeck 4.2.0/4.2.1, write access to key storage can be disabled via ACLs. After upgrading to 4.3.1 or later, write access can be restored.

CNA Affected

[
  {
    "product": "rundeck",
    "vendor": "rundeck",
    "versions": [
      {
        "status": "affected",
        "version": ">= 4.2.0, < 4.2.2"
      }
    ]
  }
]