CVE-2023-39017

Quartz Scheduler False Positive

CVE-2023-39017 might be flagged in Rundeck/Runbook Automation by scanning tools as a vulnerability found in the codebase.

This CVE is specific to the quartz-jobs library, an optional library of pre-built jobs for the Quartz Scheduler, where a wrong usage of
the org.quartz.jobs.ee.jms.SendQueueMessageJob.execute method could lead to a code injection vulnerability.

Rundeck/Runbook Automation is not affected as it uses the Quartz Scheduler core library only, and does not make use or include the quartz-jobs library in its codebase.

This CVE is also disputed. See https://github.com/quartz-scheduler/quartz/issues/943.

The team is working on ways to mitigate the false finding and will update this page and Release Notes when we make progress.