Skip to main content

Security Notices


Security Notices

Below is colletion of security notices previously filed for Rundeck and Process Automation. Also included is a list of false positives that vulnerability scanners may find with explanations about why we consider it a false positive. If there are any concerns about the security of Rundeck or quesitons about a new finding please reach out to us using the Support Instructions.

Download the latest version hereopen in new window.

Rundeck/Process Automation CVEs

These are the Security Advisories Rundeck has issued in the past. It is always recommended to upgrade to the current version of Rundeck (5.3.0) for the latest security updates.

  • CVE-2023-48222
    Authenticated users can view or delete jobs for which they do not have authorization.
  • CVE-2023-47112
    Authenticated users can view job names and groups for which they do not have read authorization.
  • CVE-2022-31044
    Key Storage converter plugin mechanism were not enabled correctly in Rundeck 4.2.0 and 4.2.1.
  • CVE-2022-29186
    Key Pair Misconfiguration may expose systems.
  • CVE-2021-41112
    Authenticated users can modify Calendars without appropriate authorization.
  • CVE-2021-41111
    Webhook data and tokens can be revealed to an unauthorized user.
  • CVE-2021-39133
    Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server.
  • CVE-2021-39132
    YAML deserialization can run untrusted code.
  • CVE-2020-11009
    IDOR can reveal execution data and logs to unauthorized user.

Additional CVE Notes