Security Notices
Security Notices
Below is a collection of security notices previously filed for Rundeck and Runbook Automation. Also included is a list of false positives that vulnerability scanners may find with explanations about why we consider it a false positive. If there are any concerns about the security of Rundeck or questions about a new finding please reach out to us using the Support Instructions.
Download the latest version here.
Rundeck/Runbook Automation CVEs
These are the Security Advisories Rundeck has issued in the past. It is always recommended to upgrade to the current version of Rundeck (5.8.0) for the latest security updates.
- CVE-2023-48222
Authenticated users can view or delete jobs for which they do not have authorization. - CVE-2023-47112
Authenticated users can view job names and groups for which they do not have read authorization. - CVE-2022-31044
Key Storage converter plugin mechanism were not enabled correctly in Rundeck 4.2.0 and 4.2.1. - CVE-2022-29186
Key Pair Misconfiguration may expose systems. - CVE-2021-41112
Authenticated users can modify Calendars without appropriate authorization. - CVE-2021-41111
Webhook data and tokens can be revealed to an unauthorized user. - CVE-2021-39133
Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server. - CVE-2021-39132
YAML deserialization can run untrusted code. - CVE-2020-11009
IDOR can reveal execution data and logs to unauthorized user.
Additional CVE Notes
- Log4j / Log4Shell will flag a false positive vulnerability related to our JIRA plugins. More Details on this page
- CVE-2022-45868 H2 DB false positive.
- CVE-2022-1471 SnakeYAML false positive.
- CVE-2024-1597 Postgres JDBC Driver Vulnerability.
- CVE-2016-1000027 Spring Unsafe Java deserialization.
- CVE-2023-39017 Quartz Scheduler false positive.