CVE-2023-47112: 
Java vulnerability analysis and mitigation

CVE-2023-47112 affects Rundeck, an open source automation service with web console, command line tools and WebAPI. The vulnerability was discovered in versions 4.17.0 through 4.17.2 and was patched in version 4.17.3. The issue allows authenticated users to access URL paths that provide lists of job names and groups for any project without proper authorization checks (Vendor Advisory).

The vulnerability affects two specific URLs in both Rundeck Open Source and Process Automation products: http[s]://[host]/context/rdJob/ and http[s]://[host]/context/api//incubator/jobs. The CVSS v3.1 score is 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network attack vector, low attack complexity, low privileges required, no user interaction needed, unchanged scope, and low confidentiality impact (NVD).

The vulnerability allows authenticated users to view job names and groups within any project without proper authorization. However, the access is limited to read-only operations and only exposes the names of job groups and jobs contained within the specified project. No modifications to the information are possible through this vulnerability (Vendor Advisory).

The vulnerability has been patched in version 4.17.3, and users are advised to upgrade to this version. For users unable to upgrade immediately, a workaround is available by blocking access to the two affected URLs at the load balancer level: http[s]://host/context/rdJob/ and http[s]://host/context/api//incubator/jobs (Vendor Advisory).