Skip to content

Authenticated users can view job names and groups for which they do not have read authorization

Moderate
fdevans published GHSA-xvmv-4rx6-x6jx Nov 16, 2023

Package

maven rundeck,rundeckpro-enterprise (Maven)

Affected versions

4.17.0-4.17.2

Patched versions

4.17.3

Description

Access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which provides a list of job names and groups for any project, without the necessary authorization checks.

The affected URLs are:

  • http[s]://[host]/context/rdJob/*
  • http[s]://[host]/context/api/*/incubator/jobs

The output of these endpoints only exposes the name of job groups and the jobs contained within the specified project. The output is read-only and the access does not allow changes to the information.

Impact

Rundeck, Process Automation version 4.17.0 up to 4.17.2

Patches

Patched versions: 4.17.3

Workarounds

Access to two URLs used in either Rundeck Open Source or Process Automation products could be blocked at a load balancer level.

  • http[s]://host/context/rdJob/*
  • http[s]://host/context/api/*/incubator/jobs

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE ID

CVE-2023-47112

Weaknesses

No CWEs