Plaintext Storage of a Password
CVE-2022-31044
Summary
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. The Key Storage converter plugin mechanism was not enabled correctly in Rundeck versions 4.2.0-rc1-20220502 through 4.2.1-20220511 and 4.3.0-rc1-20220523 through 4.3.0-20220602, resulting in use of the encryption layer for Key Storage possibly not working. In affected versions any credentials created or overwritten might result in them being written in plaintext to the backend storage. This affects those using any `Storage Converter` plugin. Rundeck 4.3.1-rc1-20220606 and 4.2.2-rc1-20220606 have fixed the code and upon upgrade will re-encrypt any plain text values.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-256 - Plaintext Storage of a Password
Storing a password in plaintext may result in a system compromise.
References
Advisory Timeline
- Published