CVE-2024-24786
CVE-2024-24786
Update
Remco has released a patched version which addresses this package finding and is included in our 5.11.0 release. The False Positive still applies to older versions of Rundeck.
Remco / Google Protobuf vulnerability
FALSE POSITIVE
Rundeck and Runbook Automation are not vulnerable to this CVE.
The vulnerability exists in all versions of google.golang.org/protobuf before 1.33.0 and it is used by remco (not used directly by Rundeck). Currently, the Rundeck and Runbook Automation Dockerfile that builds Remco uses a specific commit, which uses the protobuf version 1.32.0.
In December 2024 a newer commit patches this version, but a new release version has not been issued.
Most importantly, Protobuf is used by Remco when configured to receive config values from other backends like redis, or secrets from vault. Rundeck and Runbook Automation products do not use those modes as part of Remco, and therefore are not be vulnerable to this finding.