Access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which provides a list of job names and groups for any project, without the necessary authorization checks.
The affected URLs are:
http[s]://[host]/context/rdJob/*http[s]://[host]/context/api/*/incubator/jobs
The output of these endpoints only exposes the name of job groups and the jobs contained within the specified project. The output is read-only and the access does not allow changes to the information.
Impact
Rundeck, Process Automation version 4.17.0 up to 4.17.2
Patches
Patched versions: 4.17.3
Workarounds
Access to two URLs used in either Rundeck Open Source or Process Automation products could be blocked at a load balancer level.
http[s]://host/context/rdJob/*http[s]://host/context/api/*/incubator/jobs
For more information
If you have any questions or comments about this advisory:
Access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which provides a list of job names and groups for any project, without the necessary authorization checks.
The affected URLs are:
http[s]://[host]/context/rdJob/*http[s]://[host]/context/api/*/incubator/jobsThe output of these endpoints only exposes the name of job groups and the jobs contained within the specified project. The output is read-only and the access does not allow changes to the information.
Impact
Rundeck, Process Automation version 4.17.0 up to 4.17.2
Patches
Patched versions: 4.17.3
Workarounds
Access to two URLs used in either Rundeck Open Source or Process Automation products could be blocked at a load balancer level.
http[s]://host/context/rdJob/*http[s]://host/context/api/*/incubator/jobsFor more information
If you have any questions or comments about this advisory: