{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-48222", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-13T13:25:18.480Z", "datePublished": "2023-11-16T21:59:17.837Z", "dateUpdated": "2024-08-29T14:41:54.188Z"}, "containers": {"cna": {"title": "Authenticated users can view or delete jobs they do not have authorization for in Rundeck", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666"}], "affected": [{"vendor": "rundeck", "product": "rundeck", "versions": [{"version": ">= 4.12.0, < 4.17.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-16T21:59:17.837Z"}, "descriptions": [{"lang": "en", "value": "Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks. This issue has been addressed in version 4.17.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n\n"}], "source": {"advisory": "GHSA-phmw-jx86-x666", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:23:39.033Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-29T14:41:33.444791Z", "id": "CVE-2023-48222", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T14:41:54.188Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666", "name": "https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:23:39.033Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-48222", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-29T14:41:33.444791Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T14:41:45.772Z"}}], "cna": {"title": "Authenticated users can view or delete jobs they do not have authorization for in Rundeck", "source": {"advisory": "GHSA-phmw-jx86-x666", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "rundeck", "product": "rundeck", "versions": [{"status": "affected", "version": ">= 4.12.0, < 4.17.3"}]}], "references": [{"url": "https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666", "name": "https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks. This issue has been addressed in version 4.17.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-16T21:59:17.837Z"}}}, "cveMetadata": {"cveId": "CVE-2023-48222", "state": "PUBLISHED", "dateUpdated": "2024-08-29T14:41:54.188Z", "dateReserved": "2023-11-13T13:25:18.480Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-11-16T21:59:17.837Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pagerduty:rundeck:*:*:*:*:*:*:*:*", "matchCriteriaId": "479BFA5A-0EF8-45F6-9891-7BB0B76C4AFC", "versionEndExcluding": "4.17.3", "versionStartIncluding": "4.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks. This issue has been addressed in version 4.17.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n\n"}, {"lang": "es", "value": "Rundeck es un servicio de automatizaci\u00f3n de c\u00f3digo abierto con una consola web, herramientas de l\u00ednea de comandos y una WebAPI. En las versiones afectadas, el acceso a dos URL utilizadas en los productos Rundeck Open Source y Process Automation podr\u00eda permitir a los usuarios autenticados acceder a la ruta URL, lo que permitir\u00eda el acceso para ver o eliminar trabajos, sin las comprobaciones de autorizaci\u00f3n necesarias. Este problema se solucion\u00f3 en la versi\u00f3n 4.17.3. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2023-48222", "lastModified": "2023-11-25T02:06:51.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-11-16T22:15:28.757", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/rundeck/rundeck/security/advisories/GHSA-phmw-jx86-x666"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}