Vulnerability Details : CVE-2021-41112
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In versions prior to 3.4.5, authenticated users could craft a request to modify or delete System or Project level Calendars, without appropriate authorization. Modifying or removing calendars could cause Scheduled Jobs to execute, or not execute on desired calendar days. Severity depends on trust level of authenticated users and impact of running or not running scheduled jobs on days governed by calendar definitions. Version 3.4.5 contains a patch for this issue. There are currently no known workarounds.
Products affected by CVE-2021-41112
- cpe:2.3:a:pagerduty:rundeck:*:*:*:*:-:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-41112
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 41 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41112
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:P |
8.0
|
4.9
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
2.8
|
5.2
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
2.8
|
5.2
|
GitHub, Inc. |
CWE ids for CVE-2021-41112
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-41112
-
https://github.com/rundeck/rundeck/security/advisories/GHSA-f68p-c9wh-j2q8
Authenticated users can modify Calendars without appropriate authorization · Advisory · rundeck/rundeck · GitHubThird Party Advisory
Jump to