Access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which provides a list of job names and groups for any project, without the necessary authorization checks.
The affected URLs are:
- http[s]://[host]/context/rdJob/*
- http[s]://[host]/context/api/*/incubator/jobs
The output of these endpoints only exposes the name of job groups and the jobs contained within the specified project. The output is read-only and the access does not allow changes to the information.
Rundeck, Process Automation version 4.17.0 up to 4.17.2
Patched versions: 4.17.3
Access to two URLs used in either Rundeck Open Source or Process Automation products could be blocked at a load balancer level.
- http[s]://host/context/rdJob/*
- http[s]://host/context/api/*/incubator/jobs
If you have any questions or comments about this advisory:
* Open an issue in our forums
* Enterprise Customers can open a Support ticket
| Score | Percentile |
|---|---|
| 0.21% | 43.89% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 4.3 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-xvmv-4rx6-x6jx ↗ |
| CVE | CVE-2023-47112 ↗ |
| CWE id | Name |
|---|---|
| CWE-862 | Missing Authorization |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| maven | org.rundeck:rundeckapp | >= 4.17.0, < 4.17.3 | 4.17.3 | — |