SCA: security update for org.rundeck:rundeck-core (GHSA-q4rf-3fhx-88pf)

high Tenable Cloud Security Plugin ID 417879

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to
version 3.3.14 and version 3.4.3, an authorized user can upload a zip-format plugin with a crafted
plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted
aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise
Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on
Rundeck Enterprise Edition. The zip-format plugin issues requires authentication and authorization to
these access levels, and affects all Rundeck editions:`admin` level access to the `system` resource type.
The ACL Policy yaml file upload issues requires authentication and authorization to these access levels,
and affects all Rundeck editions: `create` `update` or `admin` level access to a `project_acl` resource,
and/or`create` `update` or `admin` level access to the `system_acl` resource. The unauthorized POST
request requires authentication, but no specific authorization, and affects Rundeck Enterprise only.
Patches are available in versions 3.4.3, 3.3.14 (CVE-2021-39132)

See Also

https://github.com/advisories/GHSA-q4rf-3fhx-88pf

Plugin Details

Severity: High

ID: 417879

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 1/28/2026

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-39132

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/1/2021

Vulnerability Publication Date: 8/30/2021

Reference Information

CVE: CVE-2021-39132

cwe: CWE-502