Security Notices

Below is a collection of security notices previously filed for Rundeck and Runbook Automation. Also included is a list of false positives that vulnerability scanners may find with explanations about why we consider it a false positive. If there are any concerns about the security of Rundeck or questions about a new finding please reach out to us using the Support Instructions.

Download the latest version here.

Rundeck/Runbook Automation CVEs

These are the Security Advisories Rundeck has issued in the past. It is always recommended to upgrade to the current version of Rundeck (5.7.0) for the latest security updates.

• CVE-2023-48222
  
  Authenticated users can view or delete jobs for which they do not have authorization.
• CVE-2023-47112
  
  Authenticated users can view job names and groups for which they do not have read authorization.
• CVE-2022-31044
  
  Key Storage converter plugin mechanism were not enabled correctly in Rundeck 4.2.0 and 4.2.1.
• CVE-2022-29186
  
  Key Pair Misconfiguration may expose systems.
• CVE-2021-41112
  
  Authenticated users can modify Calendars without appropriate authorization.
• CVE-2021-41111
  
  Webhook data and tokens can be revealed to an unauthorized user.
• CVE-2021-39133
  
  Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server.
• CVE-2021-39132
  
  YAML deserialization can run untrusted code.
• CVE-2020-11009
  
  IDOR can reveal execution data and logs to unauthorized user.

Additional CVE Notes

• Log4j / Log4Shell will flag a false positive vulnerability related to our JIRA plugins. More Details on this page
• CVE-2022-45868 H2 DB false positive.
• CVE-2022-1471 SnakeYAML false positive.
• CVE-2024-1597 Postgres JDBC Driver Vulnerability.
• CVE-2016-1000027 Spring Unsafe Java deserialization.
• CVE-2023-39017 Quartz Scheduler false positive.