24786

rundeck · Dec 18, 2024 · 6761590 · 6761590
1 parent 9f8ee74
commit 6761590
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 2 deletions.
diff --git a/docs/history/CVEs/cve-2023-39017.md b/docs/history/CVEs/cve-2023-39017.md
@@ -1,5 +1,5 @@
 ---
-order: 1300
+order: 350
 ---
 
 # CVE-2023-39017

diff --git a/docs/history/cves/cve-2024-24786.md b/docs/history/cves/cve-2024-24786.md
@@ -0,0 +1,15 @@
+---
+order: 99
+---
+
+# CVE-2024-24786
+
+## Remco / Google Protobuf vulnerability
+
+::: danger FALSE POSITIVE
+ Rundeck and Runbook Automation are not vulnerable to this CVE.
+:::
+
+The vulnerability exists in all versions of google.golang.org/protobuf before 1.33.0 and it is used by Remco (not used directly by Rundeck).  Currently, the Rundeck and Runbook Automation Dockerfile that builds Remco uses a specific commit uses the protobuf version 1.32.0.  At the time of this writing there is no update to the Remco build to use the latest the protobuf library.
+
+Protobuf is used by Remco when configured to receive config values from other backends like redis, or secrets from vault.  Rundeck and Runbook Automation products do not use those modes as part of Remco, and therefore would not be vulnerable to this finding.
diff --git a/docs/history/cves/cve-2024-38807.md b/docs/history/cves/cve-2024-38807.md
@@ -1,5 +1,5 @@
 ---
-order: 99
+order: 98
 ---
 
 # CVE-2024-33807

diff --git a/docs/history/cves/index.md b/docs/history/cves/index.md
@@ -39,4 +39,5 @@ These are the Security Advisories Rundeck has issued in the past.  It is always
 * [CVE-2024-1597 Postgres JDBC Driver Vulnerability](cve-2024-1597.md).
 * [CVE-2016-1000027 Spring Unsafe Java deserialization](cve-2016-1000027.md).
 * [CVE-2023-39017 Quartz Scheduler false positive](cve-2023-39017.md).
+* [CVE-2024-24786 Protobuf finding in Remco](cve-2024-38807.md).
 * [CVE-2024-38807 Spring Boot false positive](cve-2024-38807.md).