QID 981316
QID 981316: Java (maven) Security Update for org.rundeck:rundeck-core (GHSA-q4rf-3fhx-88pf)
Security update has been released for org.rundeck:rundeck-core to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
An authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition.
The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:
* `admin` level access to the `system` resource type
The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions:
* `create` `update` or `admin` level access to a `project_acl` resource
* `create` `update` or `admin` level access to the `system_acl` resource
The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only.
Please visit [https://rundeck.com/security](https://rundeck.com/security) for information about specific workarounds.
- GHSA-q4rf-3fhx-88pf -
github.com/advisories/GHSA-q4rf-3fhx-88pf
CVEs related to QID 981316
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-q4rf-3fhx-88pf | org.rundeck:rundeck-core |
github.com/advisories/GHSA-q4rf-3fhx-88pf |