GHSA-q4rf-3fhx-88pf · Severity: medium · Ecosystem: maven — YAML deserialization can run untrusted code
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, an authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition. The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:`admin` level access to the `system` resource type. The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions: `create` `update` or `admin` level access to a `project_acl` resource, and/or`create` `update` or `admin` level access to the `system_acl` resource. The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only. Patches are available in versions 3.4.3, 3.3.14
Conclusion & alert: CVE-2021-39132 is rated Moderate Risk (59.7/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.38%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.85% | 1.38% | +0.53% |
| 2 | 2026-02-11 | 0.65% | 0.85% | +0.20% |
| 3 | 2026-01-21 | — | 0.65% | — |
Full EPSS history (12 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | [email protected] |
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | [email protected] |
| 6.5 | 2.0 | MEDIUM |
|
8.0 | 6.4 | [email protected] |
GHSA-q4rf-3fhx-88pf · Severity: medium · Ecosystem: maven — YAML deserialization can run untrusted code
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| pagerduty | rundeck | < 3.3.14 | cpe:2.3:a:pagerduty:rundeck:*:*:*:*:community:*:*:* |
| pagerduty | rundeck | < 3.3.14 | cpe:2.3:a:pagerduty:rundeck:*:*:*:*:enterprise:*:*:* |
| pagerduty | rundeck | >= 3.4.0, < 3.4.3 | cpe:2.3:a:pagerduty:rundeck:*:*:*:*:community:*:*:* |
| pagerduty | rundeck | >= 3.4.0, < 3.4.3 | cpe:2.3:a:pagerduty:rundeck:*:*:*:*:enterprise:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/rundeck/rundeck/commit/850d12e21d22833bc148b7f458d7cb5949f829b6 | Patch Third Party Advisory |
| https://github.com/rundeck/rundeck/security/advisories/GHSA-q4rf-3fhx-88pf | Third Party Advisory |