CVE-2021-41111

Published: Feb 28, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

6.4

MEDIUM

Description

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. There are patches for this vulnerability in versions 3.4.5 and 3.3.15. There are currently no known workarounds.

Vendor	Product	Versions
rundeck	rundeck	affected `< 3.3.15` affected `>= 3.4.0, < 3.4.5`

Weaknesses (CWE)

CWE-639

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j

x_refsource_CONFIRM

https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-41111

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References