Strix
26.1K

CVE-2020-11009

MEDIUMCVSS 6.5/10EPSS 1.37%

Last modified

CVE-2020-11009 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. EPSS estimates a 1.37% chance of exploitation in the next 30 days.

Description

In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this is not really much of an issue. If access is wider and allows login for users that do not have access to any projects, or project access is restricted, there is a larger issue. If access is meant to be restricted and secrets, sensitive data, or intellectual property are exposed in Rundeck execution output and job data, the risk becomes much higher. This vulnerability is patched in version 3.2.6

Metrics

CVSS 3.1
6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability
1.37%

68.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
PagerdutyRundeck< 3.2.6

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2020-11009?
In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this is not really much of an issue. If access is wider and allows login for users that do not have access to any projects, or project access is restricted, there is a larger issue. If access is meant to be restricted and secrets, sensitive data, or intellectual property are exposed in Rundeck execution output and job data, the risk becomes much higher. This vulnerability is patched in version 3.2.6
How severe is CVE-2020-11009?
CVE-2020-11009 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 1.37% probability of exploitation in the next 30 days.
How do I fix CVE-2020-11009?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-11009?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST