Skip to content

YAML deserialization can run untrusted code

Moderate severity GitHub Reviewed Published Aug 28, 2021 in rundeck/rundeck • Updated Feb 1, 2023

Package

maven org.rundeck:rundeck-core (Maven)

Affected versions

>= 3.4.0, < 3.4.3
< 3.3.14

Patched versions

3.4.3
3.3.14

Description

Impact

An authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition.

The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:

  • admin level access to the system resource type

The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions:

  • create update or admin level access to a project_acl resource
  • create update or admin level access to the system_acl resource

The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only.

Patches

Versions 3.4.3, 3.3.14

Workarounds

Please visit https://rundeck.com/security for information about specific workarounds.

For more information

If you have any questions or comments about this advisory:

To report security issues to Rundeck please use the form at https://rundeck.com/security

Reporter: Rojan Rijal from Tinder Red Team

References

@fdevans fdevans published to rundeck/rundeck Aug 28, 2021
Published by the National Vulnerability Database Aug 30, 2021
Reviewed Aug 30, 2021
Published to the GitHub Advisory Database Sep 1, 2021
Last updated Feb 1, 2023

Severity

Moderate

EPSS score

0.106%
(45th percentile)

Weaknesses

CVE ID

CVE-2021-39132

GHSA ID

GHSA-q4rf-3fhx-88pf

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.