CVE-2021-41111

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-41111
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41111.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-41111
Related
  • GHSA-mfqj-f22m-gv8j
Published
2022-02-28T20:15:08.160Z
Modified
2026-03-13T22:14:52.836797Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. There are patches for this vulnerability in versions 3.4.5 and 3.3.15. There are currently no known workarounds.

References

Affected packages

Git / github.com/rundeck/rundeck

Affected ranges

Type
GIT
Repo
https://github.com/rundeck/rundeck
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2de184404a7bf75a94e7fca5c1ae27335dc04a31
Introduced
50272b9ab5a36de1b5b691931bc5bf136923966d
Fixed
0b2044ed863e2d5deda31db8f2f3bce48a347770
Fixed
a3bdc06a0731da902593732022a5b9d2b4facec5
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.3.15"
        },
        {
            "introduced": "3.4.0"
        },
        {
            "fixed": "3.4.5"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41111.json"