Skip to main content

CVE-2024-22257

CVE-2024-22257

FALSE POSITIVE

Rundeck and Runbook Automation are not vulnerable to this CVE.

Overview

Security scanners have incorrectly flagged Rundeck 5.X series as vulnerable to CVE-2023-34034. This is a false positive detection due to naming similarities between different security packages.

Technical Details

Rundeck 5.X series uses:

  • Grails 6
  • Spring Security 5.8.15 (secure version)

Source of Confusion

The false positive occurs due to similarly named JAR files in the WAR build:

583548 Mon May 05 12:39:28 PDT 2025 WEB-INF/lib/spring-security-core-6.1.1.jar
494949 Mon May 05 12:39:28 PDT 2025 WEB-INF/lib/spring-security-core-5.8.15.jar

Important Clarification

The spring-security-core-6.1.1.jar file is actually the Grails Security Plugin, not the Spring Security framework. Some security scanners mistakenly identify this as Spring Security 6.1.1, triggering the false CVE-2023-34034 alert.

Verification

To confirm this is a false positive:

  1. The actual Spring Security implementation is version 5.8.15
  2. The 6.1.1 JAR file belongs to the Grails Security Plugin
  3. Rundeck 5.X is not affected by CVE-2024-22257