Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authorization Bypass Through User-Controlled Key in Rundeck
Vulnerability Description
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. There are patches for this vulnerability in versions 3.4.5 and 3.3.15. There are currently no known workarounds.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
Rundeck 安全漏洞
Vulnerability Description
Rundeck是美国Rundeck公司的一款带有Web控制台、命令行工具和WebAPI的开源自动化服务,它主要用于运行自动化任务。 Rundeck 3.4.5 和 3.3.15 之前版本存在安全漏洞,该漏洞源于有权读取一个项目中的 webhook 的经过身份验证的用户可以制作一个请求以显示另一个项目中的 Webhook 定义和令牌。用户可以使用显示的 webhook 令牌来触发 webhook。严重性取决于经过身份验证的用户的信任级别以及是否存在任何触发敏感操作的 webhook。
CVSS Information
N/A
Vulnerability Type
N/A