CVE-2021-39133

MEDIUM
Published Aug 30, 20214y ago · Modified Jun 17, 20262w ago
6.8 CVSS 3.1
Medium
Find Similar
Published Aug 30, 2021 4y ago
Last Modified Jun 17, 2026 2w ago

Description

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, a user with `admin` access to the `system` resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all Rundeck editions. Patches are available in Rundeck versions 3.4.3 and 3.3.14.

CVSS Details

Base Score
6.8
Exploitability
0.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-352 Cross-Site Request Forgery (CSRF) Authentication

Affected Products 2

VendorProductVersionRange
pagerdutyrundeck* <3.3.14
pagerdutyrundeck*≥3.4.0  –  <3.4.3

References 2

  • github.com https://github.com/rundeck/rundeck/commit/67c4eedeaf9509fc0b255aff15977a5229ef13b9
    PatchThird Party Advisory
  • github.com https://github.com/rundeck/rundeck/security/advisories/GHSA-3jmw-c69h-426c
    Third Party Advisory

Remediation

  • github.com https://github.com/rundeck/rundeck/commit/67c4eedeaf9509fc0b255aff15977a5229ef13b9
    PatchThird Party Advisory