Miggo Logo

CVE-2023-48222: Authenticated Rundeck users can view or delete jobs they do not have authorization for.

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.46342%
Published
11/16/2023
Updated
11/17/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.rundeck:rundeckmaven>= 4.12.0, < 4.17.34.17.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing authorization checks on two specific URL patterns. In MVC frameworks like Grails (used by Rundeck), URL routes map to controller actions. The /rdJob/* and /api/*/incubator/jobs endpoints would be handled by controller methods that likely lacked @AuthorizedExecution or similar security annotations. These functions would process job operations without verifying if the authenticated user has required permissions, directly enabling the vulnerability. The confidence is high because the CWE-862 description and URL patterns strongly indicate controller-level authorization gaps.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

****ss to two URLs us** in *ot* Run***k Op*n Sour** *n* Pro**ss *utom*tion pro*u*ts *oul* *llow *ut**nti**t** us*rs to ****ss t** URL p*t*, w*i** woul* *llow ****ss to vi*w or **l*t* jo*s, wit*out t** n***ss*ry *ut*oriz*tion ****ks. T** *****t** URL

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut*oriz*tion ****ks on two sp**i*i* URL p*tt*rns. In MV* *r*m*works lik* *r*ils (us** *y Run***k), URL rout*s m*p to *ontroll*r **tions. T** /r*Jo*/* *n* /*pi/*/in*u**tor/jo*s *n*points woul* ** **n*l** *y *ontro