-
Notifications
You must be signed in to change notification settings - Fork 149
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1607 from rundeck/cves
RUN-2936: CVE False Positives
- Loading branch information
Showing
8 changed files
with
52 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,5 @@ | ||
| --- | ||
| order: 800 | ||
| order: 1800 | ||
| --- | ||
|
|
||
| # CVE-2016-1000027 | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| --- | ||
| order: 1300 | ||
| --- | ||
|
|
||
|
|
||
| # CVE-2020-0187 | ||
|
|
||
| ::: danger FALSE POSITIVE | ||
| Rundeck and Runbook Automation are not vulnerable to this CVE. | ||
| ::: | ||
|
|
||
| This finding is only vulnerable on Android 10. It does not apply to Rundeck or Runbook Automation products. |
2 changes: 1 addition & 1 deletion
2
docs/history/CVEs/cve-2023-39017.md → docs/history/cves/cve-2023-39017.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,5 @@ | ||
| --- | ||
| order: 1300 | ||
| order: 350 | ||
| --- | ||
|
|
||
| # CVE-2023-39017 | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| --- | ||
| order: 90 | ||
| --- | ||
|
|
||
| # CVE-2024-24786 | ||
|
|
||
| ## Remco / Google Protobuf vulnerability | ||
|
|
||
| ::: danger FALSE POSITIVE | ||
| Rundeck and Runbook Automation are not vulnerable to this CVE. | ||
| ::: | ||
|
|
||
| The vulnerability exists in all versions of google.golang.org/protobuf before 1.33.0 and it is used by Remco (not used directly by Rundeck). Currently, the Rundeck and Runbook Automation Dockerfile that builds Remco uses a specific commit uses the protobuf version 1.32.0. At the time of this writing there is no update to the Remco build to use the latest the protobuf library. | ||
|
|
||
| Protobuf is used by Remco when configured to receive config values from other backends like redis, or secrets from vault. Rundeck and Runbook Automation products do not use those modes as part of Remco, and therefore would not be vulnerable to this finding. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| --- | ||
| order: 80 | ||
| --- | ||
|
|
||
| # CVE-2024-33807 | ||
|
|
||
| ## Spring Boot Loader Vulnerability | ||
|
|
||
| ::: danger FALSE POSITIVE | ||
| Rundeck and Runbook Automation are not vulnerable to this CVE. | ||
| ::: | ||
|
|
||
| The vulnerability exists in Spring Boot Loader 2.7.0 to 2.7.21 and it was fixed on 2.7.22. | ||
|
|
||
| Rundeck uses Spring Boot 2.7.18 that is part of the Grails 6.1 version and it would require an update on Grails Framework. This update is currently not scheduled until 2025 sometime. | ||
|
|
||
| The vulnerability exists when `custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.` This is not used in Rundeck or Runbook Automation products and they are not vulnerable to this finding. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,5 @@ | ||
| --- | ||
| order: 1500 | ||
| order: 2000 | ||
| --- | ||
|
|
||
| # Log4Shell / Log4j Security | ||
|
|
||