CVE-2021-39132: 
Java vulnerability analysis and mitigation

Rundeck, an open source automation service with a web console, command line tools and a WebAPI, was found to contain a YAML deserialization vulnerability (CVE-2021-39132) that could allow authorized users to execute untrusted code. The vulnerability was discovered by Rojan Rijal from Tinder Red Team and disclosed on August 28, 2021. This issue affected Rundeck Community and Enterprise Edition versions prior to 3.4.3 and 3.3.14 (GitHub Advisory).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and allows for unsafe YAML deserialization. The issue could be exploited through multiple vectors: uploading a zip-format plugin with a crafted plugin.yaml, uploading a crafted aclpolicy yaml file, uploading an untrusted project archive with a crafted aclpolicy yaml file, or making a specific POST request in the Enterprise Edition (GitHub Advisory).

The vulnerability could allow authenticated users with specific permissions to execute arbitrary code on the server. For the zip-format plugin exploitation, admin level access to the system resource type is required. For ACL Policy yaml file upload exploitation, users need create/update/admin level access to projectacl or systemacl resources. In Rundeck Enterprise Edition, authenticated users could exploit the vulnerability through a POST request without requiring specific authorization (GitHub Advisory).

The vulnerability has been patched in Rundeck versions 3.4.3 and 3.3.14. Users are advised to upgrade to these or newer versions. For specific workarounds, users can visit the Rundeck security page at https://rundeck.com/security (GitHub Advisory).