Below is colletion of security notices previously filed for Rundeck and Process Automation. Also included is a list of false positives that vulnerability scanners may find with explanations about why we consider it a false positive. If there are any concerns about the security of Rundeck or quesitons about a new finding please reach out to us using the Support Instructions.
Rundeck/Process Automation CVEs
These are the Security Advisories Rundeck has issued in the past. It is always recommended to upgrade to the current version of Rundeck (4.17.3) for the latest security updates.
Authenticated users can view or delete jobs for which they do not have authorization.
Authenticated users can view job names and groups for which they do not have read authorization.
Key Storage converter plugin mechanism were not enabled correctly in Rundeck 4.2.0 and 4.2.1.
Key Pair Misconfiguration may expose systems.
Authenticated users can modify Calendars without appropriate authorization.
Webhook data and tokens can be revealed to an unauthorized user.
Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server.
YAML deserialization can run untrusted code.
IDOR can reveal execution data and logs to unauthorized user.