# Security Notices
Below is colletion of security notices previously filed for Rundeck and Process Automation. Also included is a list of false positives that vulnerability scanners may find with explanations about why we consider it a false positive. If there are any concerns about the security of Rundeck or quesitons about a new finding please reach out to us using the Support Instructions.
Download the latest version here (opens new window).
# Rundeck/Process Automation CVEs
These are the Security Advisories Rundeck has issued in the past. It is always recommended to upgrade to the current version of Rundeck (4.13.0) for the latest security updates.
Key Storage converter plugin mechanism were not enabled correctly in Rundeck 4.2.0 and 4.2.1.
Key Pair Misconfiguration may expose systems.
Authenticated users can modify Calendars without appropriate authorization.
Webhook data and tokens can be revealed to an unauthorized user.
Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server.
YAML deserialization can run untrusted code.
IDOR can reveal execution data and logs to unauthorized user.
# False Positive Findings
- Log4j / Log4Shell will flag a false positive vulnerability related to our JIRA plugins. More Details on this page
- CVE-2022-45868 H2 DB false positive.
- CVE-2022-1471 SnakeYAML false positive.