GHSA-q4rf-3fhx-88pf

Source

https://github.com/advisories/GHSA-q4rf-3fhx-88pf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-q4rf-3fhx-88pf/GHSA-q4rf-3fhx-88pf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q4rf-3fhx-88pf

Aliases

CVE-2021-39132

Related

CVE-2021-39132

Published

2021-09-01T18:27:01Z

Modified

2023-11-08T04:06:30.040913Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

YAML deserialization can run untrusted code

Details

Impact

An authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition.

The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:

admin level access to the system resource type

The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions:

create update or admin level access to a project_acl resource
create update or admin level access to the system_acl resource

The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only.

Patches

Versions 3.4.3, 3.3.14

Workarounds

Please visit https://rundeck.com/security for information about specific workarounds.

For more information

If you have any questions or comments about this advisory: * Email us at security@rundeck.com

To report security issues to Rundeck please use the form at https://rundeck.com/security

Reporter: Rojan Rijal from Tinder Red Team

Database specific

{
    "github_reviewed_at": "2021-08-30T22:03:16Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-502"
    ],
    "nvd_published_at": "2021-08-30T20:15:00Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven / org.rundeck:rundeck-core

Package

Name: org.rundeck:rundeck-core; View open source insights on deps.dev
Purl: pkg:maven/org.rundeck/rundeck-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.4.0

Fixed

3.4.3

Affected versions

3.*

3.4.0-20210614

3.4.1-rc1-20210629

3.4.1-rc2-20210705

3.4.1-rc3-20210709

3.4.1-20210614

3.4.1-20210715

3.4.2-rc1-20210726

3.4.2-rc2-20210729

3.4.2-20210803

3.4.3-rc1-20210813

3.4.3-rc2-20210816

Maven / org.rundeck:rundeck-core

Package

Name: org.rundeck:rundeck-core; View open source insights on deps.dev
Purl: pkg:maven/org.rundeck/rundeck-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.14

Affected versions

1.*

1.4.4

1.4.5

1.5

1.5.1

1.5.2

1.5.3

1.6.0

1.6.1

1.6.2

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.1.0

2.1.1

2.1.2

2.1.3

2.2.0

2.2.1

2.2.2

2.2.3

2.3.0

2.3.1

2.3.2

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.5.3

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

2.6.11

2.7.0

2.7.1

2.7.2

2.7.3

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.6

2.10.7

2.10.8

2.11.0-RC1

2.11.0

2.11.1

2.11.2

2.11.3

2.11.4

2.11.5

2.11.6

2.11.7

2.11.8

2.11.9

2.11.10

2.11.11

2.11.12

2.11.13

2.11.14

3.*

3.0.0-alpha1

3.0.0-20180727

3.0.1-20180803

3.0.2-20180803

3.0.2-20180817

3.0.5-20180828

3.0.6-20180917

3.0.7-20181008

3.0.8-20181029

3.0.9-20181127

3.0.10-20181220

3.0.11-20181221

3.0.12-20190114

3.0.13-20190123

3.0.14-20190221

3.0.15-20190222

3.0.16-20190223

3.0.17-20190311

3.0.18-20190322

3.0.19-20190327

3.0.20-20190408

3.0.21-20190424

3.0.22-20190512

3.0.23-20190619

3.0.24-20190719

3.0.25-20190814

3.0.26-20190829

3.0.27-20191204

3.1.0-rc2-20190719

3.1.0-20190731

3.1.1-20190923

3.1.2-20190927

3.1.3-20191204

3.2.0-20191218

3.2.1-20200113

3.2.2-20200204

3.2.3-20200221

3.2.4-20200318

3.2.5-20200403

3.2.6-20200427

3.2.7-rc1-20200511

3.2.7-20200515

3.2.9-20200708

3.3.0-rc1-20200623

3.3.0-preview1-20200608

3.3.0-preview2-20200610

3.3.0-20200701

3.3.1-20200727

3.3.2-rc1-20200811

3.3.2-rc2-20200814

3.3.2-20200727

3.3.2-20200817

3.3.3-rc1-20200902

3.3.3-rc2-20200904

3.3.3-20200910

3.3.4-rc1-20200921

3.3.4-rc2-20200923

3.3.4-rc3-20200925

3.3.4-rc4-20200929

3.3.4-20201007

3.3.5-rc1-20201009

3.3.5-rc2-20201014

3.3.5-20201019

3.3.6-alpha1-20201022

3.3.6-rc1-20201102

3.3.6-rc2-20201105

3.3.6-rc3-20201105

3.3.6-rc4-20201109

3.3.6-20201111

3.3.7-rc1-20201201

3.3.7-rc2-20201203

3.3.7-20201208

3.3.8-rc3-20201231

3.3.8-rc4-20201231

3.3.8-rc5-20210104

3.3.8-rc6-20210105

3.3.8-rc7-20210107

3.3.8-20210111

3.3.9-rc2-20210122

3.3.9-rc3-20210127

3.3.9-rc4-20210201

3.3.9-20210122

3.3.9-20210201

3.3.10-rc1-20210216

3.3.10-rc2-20210219

3.3.10-20210301

3.3.11-rc1-20210329

3.3.11-rc2-20210406

3.3.11-rc3-20210424

3.3.11-rc4-20210504

3.3.11-20210507

3.3.12-rc1-20210513

3.3.12-rc2-20210514

3.3.12-20210521

3.3.13-rc1-20210601

3.3.13-rc2-20210610

3.3.13-20210614

3.3.14-rc1-20210825