GHSA-q4rf-3fhx-88pf

Suggest an improvement
Source
https://github.com/advisories/GHSA-q4rf-3fhx-88pf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-q4rf-3fhx-88pf/GHSA-q4rf-3fhx-88pf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q4rf-3fhx-88pf
Aliases
Published
2021-09-01T18:27:01Z
Modified
2023-11-08T04:06:30.040913Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
YAML deserialization can run untrusted code
Details

Impact

An authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition.

The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:

  • admin level access to the system resource type

The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions:

  • create update or admin level access to a project_acl resource
  • create update or admin level access to the system_acl resource

The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only.

Patches

Versions 3.4.3, 3.3.14

Workarounds

Please visit https://rundeck.com/security for information about specific workarounds.

For more information

If you have any questions or comments about this advisory: * Email us at security@rundeck.com

To report security issues to Rundeck please use the form at https://rundeck.com/security

Reporter: Rojan Rijal from Tinder Red Team

Database specific 
{
    "nvd_published_at": "2021-08-30T20:15:00Z",
    "github_reviewed_at": "2021-08-30T22:03:16Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-502"
    ]
}
References

Affected packages

Maven / org.rundeck:rundeck-core

Package

Name
org.rundeck:rundeck-core
View open source insights on deps.dev
Purl
pkg:maven/org.rundeck/rundeck-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.4.0
Fixed
3.4.3

Affected versions

3.*

3.4.0-20210614
3.4.1-rc1-20210629
3.4.1-rc2-20210705
3.4.1-rc3-20210709
3.4.1-20210614
3.4.1-20210715
3.4.2-rc1-20210726
3.4.2-rc2-20210729
3.4.2-20210803
3.4.3-rc1-20210813
3.4.3-rc2-20210816

Maven / org.rundeck:rundeck-core

Package

Name
org.rundeck:rundeck-core
View open source insights on deps.dev
Purl
pkg:maven/org.rundeck/rundeck-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.3.14

Affected versions

1.*

1.4.4
1.4.5
1.5
1.5.1
1.5.2
1.5.3
1.6.0
1.6.1
1.6.2

2.*

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.1.0
2.1.1
2.1.2
2.1.3
2.2.0
2.2.1
2.2.2
2.2.3
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.4.2
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.7.0
2.7.1
2.7.2
2.7.3
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.10.6
2.10.7
2.10.8
2.11.0-RC1
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.11.5
2.11.6
2.11.7
2.11.8
2.11.9
2.11.10
2.11.11
2.11.12
2.11.13
2.11.14

3.*

3.0.0-alpha1
3.0.0-20180727
3.0.1-20180803
3.0.2-20180803
3.0.2-20180817
3.0.5-20180828
3.0.6-20180917
3.0.7-20181008
3.0.8-20181029
3.0.9-20181127
3.0.10-20181220
3.0.11-20181221
3.0.12-20190114
3.0.13-20190123
3.0.14-20190221
3.0.15-20190222
3.0.16-20190223
3.0.17-20190311
3.0.18-20190322
3.0.19-20190327
3.0.20-20190408
3.0.21-20190424
3.0.22-20190512
3.0.23-20190619
3.0.24-20190719
3.0.25-20190814
3.0.26-20190829
3.0.27-20191204
3.1.0-rc2-20190719
3.1.0-20190731
3.1.1-20190923
3.1.2-20190927
3.1.3-20191204
3.2.0-20191218
3.2.1-20200113
3.2.2-20200204
3.2.3-20200221
3.2.4-20200318
3.2.5-20200403
3.2.6-20200427
3.2.7-rc1-20200511
3.2.7-20200515
3.2.9-20200708
3.3.0-rc1-20200623
3.3.0-preview1-20200608
3.3.0-preview2-20200610
3.3.0-20200701
3.3.1-20200727
3.3.2-rc1-20200811
3.3.2-rc2-20200814
3.3.2-20200727
3.3.2-20200817
3.3.3-rc1-20200902
3.3.3-rc2-20200904
3.3.3-20200910
3.3.4-rc1-20200921
3.3.4-rc2-20200923
3.3.4-rc3-20200925
3.3.4-rc4-20200929
3.3.4-20201007
3.3.5-rc1-20201009
3.3.5-rc2-20201014
3.3.5-20201019
3.3.6-alpha1-20201022
3.3.6-rc1-20201102
3.3.6-rc2-20201105
3.3.6-rc3-20201105
3.3.6-rc4-20201109
3.3.6-20201111
3.3.7-rc1-20201201
3.3.7-rc2-20201203
3.3.7-20201208
3.3.8-rc3-20201231
3.3.8-rc4-20201231
3.3.8-rc5-20210104
3.3.8-rc6-20210105
3.3.8-rc7-20210107
3.3.8-20210111
3.3.9-rc2-20210122
3.3.9-rc3-20210127
3.3.9-rc4-20210201
3.3.9-20210122
3.3.9-20210201
3.3.10-rc1-20210216
3.3.10-rc2-20210219
3.3.10-20210301
3.3.11-rc1-20210329
3.3.11-rc2-20210406
3.3.11-rc3-20210424
3.3.11-rc4-20210504
3.3.11-20210507
3.3.12-rc1-20210513
3.3.12-rc2-20210514
3.3.12-20210521
3.3.13-rc1-20210601
3.3.13-rc2-20210610
3.3.13-20210614
3.3.14-rc1-20210825