CVE-2023-48222

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks. This issue has been addressed in version 4.17.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666	Vendor Advisory
https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pagerduty:rundeck:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:31

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~5.4~~	v2 : unknown v3 : 8.1
References	~~() https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666 - Vendor Advisory~~	() https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666 - Vendor Advisory

25 Nov 2023, 02:06

Type	Values Removed	Values Added
First Time		Pagerduty Pagerduty rundeck
CPE		cpe:2.3:a:pagerduty:rundeck::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
References	~~() https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666 -~~	() https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666 - Vendor Advisory

16 Nov 2023, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-16 22:15

Updated : 2024-11-21 08:31

NVD link : CVE-2023-48222

Mitre link : CVE-2023-48222

CVE.ORG link : CVE-2023-48222

JSON object : View

Products Affected

pagerduty

rundeck

CWE

CWE-862

Missing Authorization

{"id": "CVE-2023-48222", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2023-11-16T22:15:28.757", "references": [{"url": "https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks. This issue has been addressed in version 4.17.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n\n"}, {"lang": "es", "value": "Rundeck es un servicio de automatizaci\u00f3n de c\u00f3digo abierto con una consola web, herramientas de l\u00ednea de comandos y una WebAPI. En las versiones afectadas, el acceso a dos URL utilizadas en los productos Rundeck Open Source y Process Automation podr\u00eda permitir a los usuarios autenticados acceder a la ruta URL, lo que permitir\u00eda el acceso para ver o eliminar trabajos, sin las comprobaciones de autorizaci\u00f3n necesarias. Este problema se solucion\u00f3 en la versi\u00f3n 4.17.3. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2024-11-21T08:31:14.430", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pagerduty:rundeck:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "479BFA5A-0EF8-45F6-9891-7BB0B76C4AFC", "versionEndExcluding": "4.17.3", "versionStartIncluding": "4.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}