NVD Vulnerability Detail

CVE-2020-11009

Summary	In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this is not really much of an issue. If access is wider and allows login for users that do not have access to any projects, or project access is restricted, there is a larger issue. If access is meant to be restricted and secrets, sensitive data, or intellectual property are exposed in Rundeck execution output and job data, the risk becomes much higher. This vulnerability is patched in version 3.2.6
Publication Date	April 30, 2020, 2:15 a.m.
Registration Date	Jan. 26, 2021, 11:50 a.m.
Last Update	Nov. 21, 2024, 1:56 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:pagerduty:rundeck::::::::					3.2.6

Related information, measures and tools

No	URL	タグ
1	https://docs.rundeck.com/docs/history/3_2_x/version-3.2.6.html	Release Notes Vendor Advisory
2	https://github.com/rundeck/rundeck/security/advisories/GHSA-5679-7qrc-5m7j	Third Party Advisory
3	https://docs.rundeck.com/docs/history/3_2_x/version-3.2.6.html	Release Notes Vendor Advisory
4	https://github.com/rundeck/rundeck/security/advisories/GHSA-5679-7qrc-5m7j	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-639	ユーザ制御の鍵による認証回避	https://cwe.mitre.org/data/definitions/639.html

JVN Vulnerability Information

Rundeck における情報漏えいに関する脆弱性

Title	Rundeck における情報漏えいに関する脆弱性
Summary	Rundeck には、情報漏えいに関する脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 28, 2020, midnight
Registration Date	May 29, 2020, 6:13 p.m.
Last Update	May 29, 2020, 6:13 p.m.

Affected System

Rundeck, Inc.

Rundeck 3.2.6 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-11009	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11009
National Vulnerability Database (NVD)
2	CVE-2020-11009	https://nvd.nist.gov/vuln/detail/CVE-2020-11009

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
GitHub
1	IDOR can reveal execution data and logs to unauthorized user	https://github.com/rundeck/rundeck/security/advisories/GHSA-5679-7qrc-5m7j
Rundeck, Inc.
2	Release 3.2.6	https://docs.rundeck.com/docs/history/3_2_x/version-3.2.6.html

Change Log

No	Changed Details	Date of change
1	[2020年05月29日] 掲載	May 29, 2020, 6:13 p.m.