{"id":"CVE-2021-39132","details":"Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, an authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition. The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:`admin` level access to the `system` resource type. The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions: `create` `update` or `admin` level access to a `project_acl` resource, and/or`create` `update` or `admin` level access to the `system_acl` resource. The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only. Patches are available in versions 3.4.3, 3.3.14","aliases":["GHSA-q4rf-3fhx-88pf"],"modified":"2026-04-10T04:37:01.231308Z","published":"2021-08-30T20:15:07.660Z","related":["GHSA-q4rf-3fhx-88pf"],"references":[{"type":"ADVISORY","url":"https://github.com/rundeck/rundeck/security/advisories/GHSA-q4rf-3fhx-88pf"},{"type":"FIX","url":"https://github.com/rundeck/rundeck/commit/850d12e21d22833bc148b7f458d7cb5949f829b6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rundeck/rundeck","events":[{"introduced":"0"},{"fixed":"6004a99ec04b1ec208354d05124664b3c37f906b"},{"introduced":"0"},{"fixed":"6004a99ec04b1ec208354d05124664b3c37f906b"},{"introduced":"50272b9ab5a36de1b5b691931bc5bf136923966d"},{"fixed":"b63668156cbdc71ef6b8ae9caece481c77ef80ac"},{"introduced":"50272b9ab5a36de1b5b691931bc5bf136923966d"},{"fixed":"b63668156cbdc71ef6b8ae9caece481c77ef80ac"},{"fixed":"850d12e21d22833bc148b7f458d7cb5949f829b6"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.3.14"},{"introduced":"0"},{"fixed":"3.3.14"},{"introduced":"3.4.0"},{"fixed":"3.4.3"},{"introduced":"3.4.0"},{"fixed":"3.4.3"}]}}],"versions":["grails338-oci-baseline","v1.1","v1.1-docs1","v1.3","v1.4","v1.4.0","v1.4.0.1","v1.4.1","v1.4.3","v1.4.4","v1.5","v1.5-01","v1.5-02","v1.5-03","v1.5-1","v1.5-rc1","v1.5-rc2","v1.5.1","v1.5.2","v1.5.3","v1.6.0","v1.6.0-rc1","v1.6.0-rc2","v1.6.0-rc3","v2.0.1","v2.0.2","v2.0.3","v2.1.0","v2.1.1","v2.1.2","v2.10.0","v2.10.1","v2.10.2","v2.10.3","v2.10.4","v2.10.5","v2.10.6","v2.10.7","v2.10.8","v2.11.0","v2.11.1","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.3.0","v2.3.1","v2.3.2","v2.4.0","v2.5.0","v2.5.1","v2.6.0","v2.6.1","v2.6.2","v2.6.3","v2.6.4","v2.6.5","v2.6.6","v2.6.7","v2.6.8","v2.7.0","v2.7.1","v2.7.2","v2.7.3","v2.8.0","v2.8.1","v2.8.2","v2.8.3","v2.8.4","v2.9.0","v2.9.1","v2.9.2","v2.9.3","v2.9.4","v3.0.0","v3.0.0-alpha1","v3.0.0-alpha1-2","v3.0.0-alpha2","v3.0.0-alpha4","v3.0.0-beta1","v3.0.11","v3.0.13","v3.0.14","v3.0.15","v3.0.16","v3.0.17","v3.0.18","v3.0.19","v3.0.20","v3.0.21","v3.0.6","v3.0.7","v3.0.8","v3.0.9","v3.1.0","v3.1.1","v3.1.2","v3.2.1","v3.2.2","v3.2.5","v3.2.6","v3.3.0","v3.3.0-preview1","v3.3.0-preview2","v3.3.1","v3.3.10","v3.3.10-rc1","v3.3.10-rc2","v3.3.11","v3.3.11-rc1","v3.3.11-rc2","v3.3.11-rc3","v3.3.11-rc4","v3.3.12","v3.3.12-rc1","v3.3.12-rc2","v3.3.14-rc1","v3.3.5","v3.3.6","v3.3.6-rc2","v3.3.6-rc3","v3.3.6-rc4","v3.3.7","v3.3.7-rc1","v3.3.7-rc2","v3.3.8","v3.3.8-rc1","v3.3.8-rc5","v3.3.8-rc6","v3.3.8-rc7","v3.4.3-rc1","v3.4.3-rc2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39132.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}