Rundeck Docs

# Security Advisories

April 4th, 2022

The Rundeck / Process Automation team has released a hotfix version 4.0.1 to address the vulnerabilities in Spring Framework announced here (opens new window).

All future releases will also include this fix.

Download the latest version here (opens new window).

# Past Rundeck CVEs

These are the Security Advisories Rundeck has issued in the past. It is always recommended to upgrade to the current version of Rundeck (4.4.0) for the latest security updates.

  • CVE-2022-29186
    Key Pair Misconfiguration may expose systems.
  • CVE-2021-41112
    Authenticated users can modify Calendars without appropriate authorization.
  • CVE-2021-41111
    Webhook data and tokens can be revealed to an unauthorized user.
  • CVE-2021-39133
    Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server.
  • CVE-2021-39132
    YAML deserialization can run untrusted code.
  • CVE-2020-11009
    IDOR can reveal execution data and logs to unauthorized user.

For information about Log4j / Log4Shell please see this page.

Release 4.4.0