CVE-2022-31044: 
Java vulnerability analysis and mitigation

The Key Storage converter plugin mechanism was not enabled correctly in Rundeck 4.2.0 and 4.2.1, resulting in use of the encryption layer for Key Storage possibly not working. Any credentials created or overwritten using Rundeck 4.2.0 or 4.2.1 might result in them being written in plaintext to the backend storage. This vulnerability affects those using any Storage Converter plugin. The issue was discovered and disclosed on June 15, 2022 (GitHub Advisory, NVD).

The vulnerability affects Rundeck versions 4.2.0 and 4.2.1, specifically impacting installations using 'Storage Converter' plugins such as jasypt-encryption configured via the rundeck.storage.converter.1.type=jasypt-encryption setting. The issue has been assigned a CVSS v3.1 Base Score of 7.5 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could result in sensitive credentials being stored in plaintext in the backend storage, potentially exposing confidential information to unauthorized access. Any credentials created or modified during the use of affected versions might have been stored without proper encryption (GitHub Advisory).

To mitigate the issue, users should upgrade to Rundeck versions 4.3.2, 4.2.3, or later which have fixed the code and will re-encrypt any plaintext values upon upgrade. Note that version 4.3.0 does not have the vulnerability but lacks the re-encryption patch. As a temporary workaround, write access to key storage can be disabled via ACLs until the upgrade is completed. After upgrading to a patched version, write access can be restored (GitHub Advisory).