CVE-2021-41112 – This vulnerability allows authenticated Rundeck... (How to Fix)

Q: What is the severity of CVE-2021-41112?

CVE-2021-41112 has a CVSS score of 8.1 (HIGH). This vulnerability allows authenticated Rundeck users to modify or delete system or project calendars without proper authorization. This could cause scheduled jobs to execute or not execute on unintended days, potentially disrupting automation workflows. All Rundeck instances with authenticated users are affected.

📋 TL;DR

This vulnerability allows authenticated Rundeck users to modify or delete system or project calendars without proper authorization. This could cause scheduled jobs to execute or not execute on unintended days, potentially disrupting automation workflows. All Rundeck instances with authenticated users are affected.

💻 Affected Systems

Products:

Rundeck

Versions: All versions prior to 3.4.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access; severity depends on trust level of authenticated users and importance of scheduled jobs.

📦 What is this software?

Rundeck by Pagerduty

View all CVEs affecting Rundeck →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical scheduled jobs (like backups, security scans, or production deployments) could be triggered at wrong times or prevented from running, causing data loss, security gaps, or operational disruption.

🟠

Likely Case

Unauthorized calendar modifications lead to job scheduling errors, causing automation failures, missed maintenance tasks, or unexpected job executions that impact system reliability.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to minor scheduling disruptions that can be quickly detected and corrected.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access; attackers need valid credentials to exploit this authorization bypass.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.5

Vendor Advisory: https://github.com/rundeck/rundeck/security/advisories/GHSA-f68p-c9wh-j2q8

Restart Required: Yes

Instructions:

1. Backup Rundeck configuration and data. 2. Stop Rundeck service. 3. Upgrade to version 3.4.5 or later. 4. Restart Rundeck service. 5. Verify functionality.

🔧 Temporary Workarounds

No known workarounds

all

The vendor advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

Restrict authenticated user access to only trusted personnel with minimal necessary permissions.
Implement enhanced monitoring of calendar modifications and job execution logs for anomalous activity.

🔍 How to Verify

Check if Vulnerable:

Check Rundeck version via web interface or configuration files; versions below 3.4.5 are vulnerable.

Check Version:

rundeckd version

Verify Fix Applied:

Confirm Rundeck version is 3.4.5 or higher and test that authenticated users cannot modify calendars without proper authorization.

📡 Detection & Monitoring

Log Indicators:

Unauthorized calendar modification attempts in Rundeck audit logs
Unexpected job executions or missed scheduled jobs

Network Indicators:

HTTP requests to calendar API endpoints from unauthorized users

SIEM Query:

source="rundeck" AND (event_type="calendar_modification" OR event_type="job_execution") AND user NOT IN [authorized_users]

📊 Metadata

CVE ID: CVE-2021-41112

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-862

Published: February 28, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/rundeck/rundeck/security/advisories/GHSA-f68p-c9wh-j2q8 Third Party Advisory
https://github.com/rundeck/rundeck/security/advisories/GHSA-f68p-c9wh-j2q8 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41112, you might also want to check these: