Skip to main content

Plaintext Storage of a Password

CVE-2022-31044

Severity High
Score 7.5/10

Summary

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. The Key Storage converter plugin mechanism was not enabled correctly in Rundeck versions 4.2.0-rc1-20220502 through 4.2.1-20220511 and 4.3.0-rc1-20220523 through 4.3.0-20220602, resulting in use of the encryption layer for Key Storage possibly not working. In affected versions any credentials created or overwritten might result in them being written in plaintext to the backend storage. This affects those using any `Storage Converter` plugin. Rundeck 4.3.1-rc1-20220606 and 4.2.2-rc1-20220606 have fixed the code and upon upgrade will re-encrypt any plain text values.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-256 - Plaintext Storage of a Password

Storing a password in plaintext may result in a system compromise.

References

Advisory Timeline

  • Published