What is CVE-2021-39132?

CVE-2021-39132 is a vulnerability in Rundeck that allows an authorized user to upload a malicious plugin or project archive.

What is the severity of CVE-2021-39132?

CVE-2021-39132 has a severity value of 8.8, which is considered high.

How can an authorized user exploit CVE-2021-39132?

An authorized user can exploit CVE-2021-39132 by uploading a zip-format plugin with a crafted plugin.yaml, a crafted aclpolicy yaml file, or an untrusted project archive with a malicious content.

Which versions of Rundeck are affected by CVE-2021-39132?

Versions prior to 3.3.14 and 3.4.3 of Rundeck are affected by CVE-2021-39132.

Are there any fixes available for CVE-2021-39132?

Yes, the vulnerability has been fixed in versions 3.3.14 and 3.4.3 of Rundeck.

Vulnerability/
CVE-2021-39132

high

8.8

CWE

502

30/8/2021

4/8/2024

CVE-2021-39132: YAML deserialization can run untrusted code

First published: Mon Aug 30 2021(Updated: )

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, an authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition. The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:`admin` level access to the `system` resource type. The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions: `create` `update` or `admin` level access to a `project_acl` resource, and/or`create` `update` or `admin` level access to the `system_acl` resource. The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only. Patches are available in versions 3.4.3, 3.3.14

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Pagerduty Rundeck	<3.3.14
Pagerduty Rundeck	<3.3.14
Pagerduty Rundeck	>=3.4.0<3.4.3
Pagerduty Rundeck	>=3.4.0<3.4.3

Remedy

https://github.com/rundeck/rundeck/commit/850d12e21d22833bc148b7f458d7cb5949f829b6

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-39132?
CVE-2021-39132 is a vulnerability in Rundeck that allows an authorized user to upload a malicious plugin or project archive.
What is the severity of CVE-2021-39132?
CVE-2021-39132 has a severity value of 8.8, which is considered high.
How can an authorized user exploit CVE-2021-39132?
An authorized user can exploit CVE-2021-39132 by uploading a zip-format plugin with a crafted plugin.yaml, a crafted aclpolicy yaml file, or an untrusted project archive with a malicious content.
Which versions of Rundeck are affected by CVE-2021-39132?
Versions prior to 3.3.14 and 3.4.3 of Rundeck are affected by CVE-2021-39132.
Are there any fixes available for CVE-2021-39132?
Yes, the vulnerability has been fixed in versions 3.3.14 and 3.4.3 of Rundeck.

collector/nvd-index
agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/remedy
agent/author
agent/weakness
agent/severity
agent/last-modified-date
agent/title
agent/tags
agent/description
agent/event
agent/first-publish-date
vendor/pagerduty
canonical/pagerduty rundeck
version/pagerduty rundeck/3.4.0