First published: Thu Nov 16 2023(Updated: )
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks. This issue has been addressed in version 4.17.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks. The affected URLs are: - `http[s]://[host]/context/rdJob/*` - `http[s]://[host]/context/api/*/incubator/jobs` ### Impact Rundeck, Process Automation version 4.12.0 up to 4.16.0 ### Patches Patched versions: 4.17.3 ### Workarounds Access to two URLs used in either Rundeck Open Source or Process Automation products could be blocked at a load balancer level. - `http[s]://host/context/rdJob/*` - `http[s]://host/context/api/*/incubator/jobs` ### For more information If you have any questions or comments about this advisory: * Open an issue in [our forums](https://community.pagerduty.com/forum/c/process-automation) * Enterprise Customers can open a [Support ticket](https://support.rundeck.com)
Credit: firstname.lastname@example.org email@example.com
|Affected Software||Affected Version||How to fix|
The severity of CVE-2023-48222 is high with a CVSS score of 8.1.
The software affected by CVE-2023-48222 is Rundeck with versions 4.12.0 to 4.17.3.
Authenticated users can exploit CVE-2023-48222 by accessing the affected URLs `http[s]://[host]/context/rdJob/*` and performing unauthorized view or delete operations on jobs.
To fix CVE-2023-48222, upgrade Rundeck to version 4.17.3 or later.
CVE-2023-48222 can only be exploited by authenticated users, so remote exploitation is not possible.