CVE-2021-41112

HIGH

Rundeck <3.4.5 - Privilege Escalation

Title source: llm
STIX 2.1

Description

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In versions prior to 3.4.5, authenticated users could craft a request to modify or delete System or Project level Calendars, without appropriate authorization. Modifying or removing calendars could cause Scheduled Jobs to execute, or not execute on desired calendar days. Severity depends on trust level of authenticated users and impact of running or not running scheduled jobs on days governed by calendar definitions. Version 3.4.5 contains a patch for this issue. There are currently no known workarounds.

References (1)

Core 1
Core References

Scores

CVSS v3 8.1
EPSS 0.0074
EPSS Percentile 50.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
pagerduty/rundeck < 3.4.5
Published Feb 28, 2022
Tracked Since Feb 18, 2026