SCA: security update for org.rundeck:rundeck (GHSA-5679-7qrc-5m7j)

medium Tenable Self-Hosted Container Security Plugin ID 423144

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and
logs and Job details that they are not authorized to see. Depending on the configuration and the way that
Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access
is tightly restricted and all users on the system have access to all projects, this is not really much of
an issue. If access is wider and allows login for users that do not have access to any projects, or
project access is restricted, there is a larger issue. If access is meant to be restricted and secrets,
sensitive data, or intellectual property are exposed in Rundeck execution output and job data, the risk
becomes much higher. This vulnerability is patched in version 3.2.6 (CVE-2020-11009)

Plugin Details

Severity: Medium

ID: 423144

Version: Revision 1.2

Type: Local

Family: SCA Checks

Published: 3/29/2025

Updated: 8/11/2025

Risk Information

VPR

Risk Factor: Low

Score: 3.6

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2020-11009

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/29/2020

Vulnerability Publication Date: 4/29/2020

Reference Information

CVE: CVE-2020-11009

cwe: CWE-200, CWE-639

Detections

Analytics