← Volver a CVEs
CVE-2021-41111
MEDIUM6.4
Descripcion
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. There are patches for this vulnerability in versions 3.4.5 and 3.3.15. There are currently no known workarounds.
Detalles CVE
Puntuacion CVSS v3.16.4
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado2/28/2022
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0
Productos afectados
pagerduty:rundeck
Debilidades (CWE)
CWE-639
Referencias
https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5(security-advisories@github.com)
https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j(security-advisories@github.com)
https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.