YAML deserialization can run untrusted code
Description
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, an authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition. The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:admin level access to the system resource type. The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions: create update or admin level access to a project_acl resource, and/orcreate update or admin level access to the system_acl resource. The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only. Patches are available in versions 3.4.3, 3.3.14
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.rundeck:rundeck-coreMaven | >= 3.4.0, < 3.4.3 | 3.4.3 |
org.rundeck:rundeck-coreMaven | < 3.3.14 | 3.3.14 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-q4rf-3fhx-88pfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-39132ghsaADVISORY
- github.com/rundeck/rundeck/commit/850d12e21d22833bc148b7f458d7cb5949f829b6ghsax_refsource_MISCWEB
- github.com/rundeck/rundeck/security/advisories/GHSA-q4rf-3fhx-88pfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.