CVE-2021-39133: 
Java vulnerability analysis and mitigation

Rundeck, an open source automation service with a web console, command line tools and a WebAPI, was found to be vulnerable to a Cross-Site Request Forgery (CSRF) attack in versions prior to 3.3.14 and 3.4.3. The vulnerability was disclosed on August 30, 2021, and assigned identifier CVE-2021-39133. The issue specifically affects users with admin access to the system resource type, potentially allowing attackers to cause the server to run untrusted code on all Rundeck editions (GitHub Advisory).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) weakness (CWE-352) with a moderate severity rating. The security flaw exists in the plugin upload and installation endpoints of Rundeck, which lacked proper CSRF protection. This allowed potential attackers to execute untrusted code on the server through a CSRF attack vector, specifically targeting users with administrative privileges to the system resource type (GitHub Advisory).

The vulnerability could allow attackers to execute arbitrary untrusted code on the Rundeck server if they successfully exploit the CSRF vulnerability. This affects all Rundeck editions and could potentially lead to unauthorized system access or manipulation when targeting users with administrative privileges (GitHub Advisory).

The vulnerability has been patched in Rundeck versions 3.4.3 and 3.3.14. The fix includes implementing proper CSRF protection for plugin upload and installation endpoints. Users are advised to upgrade to these patched versions. For specific workarounds, users can visit the Rundeck security page at rundeck.com/security (GitHub Advisory).