First published: Thu Nov 16 2023(Updated: )
Access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which provides a list of job names and groups for any project, without the necessary authorization checks. The affected URLs are: - `http[s]://[host]/context/rdJob/*` - `http[s]://[host]/context/api/*/incubator/jobs` The output of these endpoints only exposes the name of job groups and the jobs contained within the specified project. The output is read-only and the access does not allow changes to the information. ### Impact Rundeck, Process Automation version 4.17.0 up to 4.17.2 ### Patches Patched versions: 4.17.3 ### Workarounds Access to two URLs used in either Rundeck Open Source or Process Automation products could be blocked at a load balancer level. - `http[s]://host/context/rdJob/*` - `http[s]://host/context/api/*/incubator/jobs` ### For more information If you have any questions or comments about this advisory: * Open an issue in [our forums](https://community.pagerduty.com/forum/c/process-automation) * Enterprise Customers can open a [Support ticket](https://support.rundeck.com)
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.rundeck:rundeckapp | >=4.17.0<4.17.3 | 4.17.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this issue is GHSA-xvmv-4rx6-x6jx.
The severity of GHSA-xvmv-4rx6-x6jx is medium (4.3).
This vulnerability affects both Rundeck Open Source and Process Automation products.
An authenticated user can access the URL path to obtain a list of job names and groups for any project without proper authorization checks.
The recommended version to fix this vulnerability is 4.17.3 or later.