Vulnerability Details : CVE-2021-41111
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. There are patches for this vulnerability in versions 3.4.5 and 3.3.15. There are currently no known workarounds.
Products affected by CVE-2021-41111
- cpe:2.3:a:pagerduty:rundeck:*:*:*:*:-:*:*:*
- cpe:2.3:a:pagerduty:rundeck:*:*:*:*:-:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-41111
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 17 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41111
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:N |
8.0
|
4.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
2.8
|
2.5
|
NIST | |
6.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
3.1
|
2.7
|
GitHub, Inc. |
CWE ids for CVE-2021-41111
-
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-41111
-
https://github.com/rundeck/rundeck/security/advisories/GHSA-mfqj-f22m-gv8j
Webhook data and tokens can be revealed to an unauthorized user · Advisory · rundeck/rundeck · GitHubThird Party Advisory
-
https://github.com/rundeck/rundeck/commit/a3bdc06a0731da902593732022a5b9d2b4facec5
Merge pull request from GHSA-mfqj-f22m-gv8j · rundeck/rundeck@a3bdc06 · GitHubPatch;Third Party Advisory
Jump to