8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-48222

GHSA ID

GHSA-phmw-jx86-x666

EPSS Score

0.46342%

CWE

CWE-862

Published

11/16/2023

Updated

11/17/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-48222

CVE-2023-48222: Authenticated Rundeck users can view or delete jobs they do not have authorization for.

Access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks.

The affected URLs are:

http[s]://[host]/context/rdJob/*
http[s]://[host]/context/api/*/incubator/jobs

Impact

Rundeck, Process Automation version 4.12.0 up to 4.16.0

Patches

Patched versions: 4.17.3

Workarounds

Access to two URLs used in either Rundeck Open Source or Process Automation products could be blocked at a load balancer level.

http[s]://host/context/rdJob/*
http[s]://host/context/api/*/incubator/jobs

For more information

If you have any questions or comments about this advisory:

Open an issue in our forums
Enterprise Customers can open a Support ticket

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-48222

GHSA ID

GHSA-phmw-jx86-x666

EPSS Score

0.46342%

CWE

CWE-862

Published

11/16/2023

Updated

11/17/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.rundeck:rundeck	maven	>= 4.12.0, < 4.17.3	4.17.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing authorization checks on two specific URL patterns. In MVC frameworks like Grails (used by Rundeck), URL routes map to controller actions. The /rdJob/* and /api/*/incubator/jobs endpoints would be handled by controller methods that likely lacked @AuthorizedExecution or similar security annotations. These functions would process job operations without verifying if the authenticated user has required permissions, directly enabling the vulnerability. The confidence is high because the CWE-862 description and URL patterns strongly indicate controller-level authorization gaps.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

****ss to two URLs us** in *ot* Run***k Op*n Sour** *n* Pro**ss *utom*tion pro*u*ts *oul* *llow *ut**nti**t** us*rs to ****ss t** URL p*t*, w*i** woul* *llow ****ss to vi*w or **l*t* jo*s, wit*out t** n***ss*ry *ut*oriz*tion ****ks. T** *****t** URL

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut*oriz*tion ****ks on two sp**i*i* URL p*tt*rns. In MV* *r*m*works lik* *r*ils (us** *y Run***k), URL rout*s m*p to *ontroll*r **tions. T** /r*Jo*/* *n* /*pi/*/in*u**tor/jo*s *n*points woul* ** **n*l** *y *ontro

8.1

Basic Information

Concerned about an active attack path?

CVE-2023-48222: Authenticated Rundeck users can view or delete jobs they do not have authorization for.

Impact

Patches

Workarounds

For more information

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI