# Security Notices

Below is colletion of security notices previously filed for Rundeck and Process Automation. Also included is a list of false positives that vulnerability scanners may find with explanations about why we consider it a false positive. If there are any concerns about the security of Rundeck or quesitons about a new finding please reach out to us using the Support Instructions.

Download the latest version here (opens new window).

# Rundeck/Process Automation CVEs

These are the Security Advisories Rundeck has issued in the past. It is always recommended to upgrade to the current version of Rundeck (4.13.0) for the latest security updates.

  • CVE-2022-31044
    Key Storage converter plugin mechanism were not enabled correctly in Rundeck 4.2.0 and 4.2.1.
  • CVE-2022-29186
    Key Pair Misconfiguration may expose systems.
  • CVE-2021-41112
    Authenticated users can modify Calendars without appropriate authorization.
  • CVE-2021-41111
    Webhook data and tokens can be revealed to an unauthorized user.
  • CVE-2021-39133
    Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server.
  • CVE-2021-39132
    YAML deserialization can run untrusted code.
  • CVE-2020-11009
    IDOR can reveal execution data and logs to unauthorized user.

# False Positive Findings