Login Sign Up

CVE-2021-39132

8.8 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows authenticated users to upload malicious files that can execute arbitrary code on Rundeck servers. It affects all Rundeck editions through multiple attack vectors including plugin uploads, ACL policy file uploads, and unauthorized POST requests (Enterprise only).

💻 Affected Systems

Products:
  • Rundeck Community Edition
  • Rundeck Enterprise Edition
Versions: All versions prior to 3.3.14 and 3.4.3
Operating Systems: All operating systems running Rundeck
Default Config Vulnerable: ⚠️ Yes
Notes: Different attack vectors affect different editions: plugin and ACL policy uploads affect all editions, while unauthorized POST requests only affect Enterprise Edition.

📦 What is this software?

Rundeck by Pagerduty

View all CVEs affecting Rundeck →

Rundeck by Pagerduty

View all CVEs affecting Rundeck →

Rundeck by Pagerduty

View all CVEs affecting Rundeck →

Rundeck by Pagerduty

View all CVEs affecting Rundeck →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attackers to execute arbitrary code, access sensitive data, and pivot to other systems in the network.

🟠

Likely Case

Privilege escalation leading to unauthorized access to automation workflows, credential theft, and lateral movement within the environment.

🟢

If Mitigated

Limited impact with proper access controls, but still poses risk from authorized malicious insiders or compromised accounts.

🌐 Internet-Facing: HIGH - Internet-facing Rundeck instances are directly accessible to attackers who can attempt credential stuffing or use compromised accounts.
🏢 Internal Only: HIGH - Internal instances remain vulnerable to insider threats, compromised accounts, and lateral movement from other breached systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authentication but minimal technical skill once access is obtained. The vulnerability is well-documented in public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.14 or 3.4.3

Vendor Advisory: https://github.com/rundeck/rundeck/security/advisories/GHSA-q4rf-3fhx-88pf

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Stop Rundeck service. 3. Update to Rundeck 3.3.14 (for 3.3.x branch) or 3.4.3 (for 3.4.x branch). 4. Restart Rundeck service. 5. Verify functionality.

🔧 Temporary Workarounds

Restrict file upload permissions

all

Limit which users can upload plugins and ACL policy files by modifying authorization policies.

Modify aclpolicy files to restrict 'create', 'update', and 'admin' permissions for 'project_acl' and 'system_acl' resources to only essential administrators.

Network segmentation

all

Isolate Rundeck instances from sensitive systems and limit network access.

Configure firewall rules to restrict Rundeck server access to only necessary management networks and users.

🧯 If You Can't Patch

  • Implement strict access controls to limit who can upload files and modify ACL policies.
  • Monitor for suspicious file upload activities and unauthorized POST requests to /api endpoints.

🔍 How to Verify

Check if Vulnerable:

Check Rundeck version via web interface or configuration files. Versions below 3.3.14 (for 3.3.x) or below 3.4.3 (for 3.4.x) are vulnerable.

Check Version:

rundeckd version (CLI) or check version in web interface footer

Verify Fix Applied:

Confirm version is 3.3.14 or higher (3.3.x branch) or 3.4.3 or higher (3.4.x branch) and test that malicious file uploads are properly rejected.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to plugin or ACL endpoints
  • POST requests to unauthorized API endpoints
  • Errors related to YAML parsing or plugin loading

Network Indicators:

  • Unexpected outbound connections from Rundeck server
  • POST requests to /api/* endpoints from unauthorized users

SIEM Query:

source="rundeck" AND (event="file.upload" OR event="api.request") AND (resource="plugin" OR resource="aclpolicy" OR path="/api/*")

📊 Metadata

CVE ID: CVE-2021-39132
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: August 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39132, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)