漏洞标题
authenticated users 可以查看工作名称和他们缺乏授权查看的组在 Rundeck 中
漏洞描述信息
已认证的用户可以查看他们在 Rundeck 中没有权限查看的作业名称和组
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
漏洞类别
授权机制缺失
漏洞标题
Authenticated users can view job names and groups they do not have authorization to view in Rundeck
漏洞描述信息
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which provides a list of job names and groups for any project, without the necessary authorization checks. The output of these endpoints only exposes the name of job groups and the jobs contained within the specified project. The output is read-only and the access does not allow changes to the information. This vulnerability has been patched in version 4.17.3. Users are advised to upgrade. Users unable to upgrade may block access to the two URLs used in either Rundeck Open Source or Process Automation products at a load balancer level.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
漏洞类别
授权机制缺失
漏洞标题
Rundeck 安全漏洞
漏洞描述信息
Rundeck是美国Rundeck公司的一款带有Web控制台、命令行工具和WebAPI的开源自动化服务,它主要用于运行自动化任务。 Rundeck 4.17.0 到4.17.2版本存在安全漏洞,该漏洞源于通过使用两个特殊的 URL 可以访问任何项目的作业名称和组列表,而无需进行必要的授权检查。
CVSS信息
N/A
漏洞类别
其他