Breaking

Full Disclosure: Multiple Rundeck Job Command Injections

During a red-teaming-style customer project, we managed to get access to an Rundeck API token. Rundeck is a job scheduler and runbook automation platform designed to automate routine IT tasks across multiple systems. At first, we were excited about this API token because if we could create new Rundeck jobs, we could execute arbitrary code on the Rundeck nodes and move laterally from there. However, it turned out that with this token we only had permissions to run existing jobs.

Continue reading “Full Disclosure: Multiple Rundeck Job Command Injections”

Continue reading
Breaking

Vulnerability in Jitsi Meet: Meeting Password Disclosure affecting Meetings with Lobbies

During a customer project, we identified a logic flaw in Jitsi Meet, an open-source video conferencing and messaging platform for secure video conferencing, voice calls, and messaging. The vulnerability affects password protected Jitsi meetings that make use of a lobby. This logic flaw leads to the disclosure of the meeting password when a user is invited to the call after waiting in the lobby.

Jitsi offers two security options to meeting moderators. Firstly, the meeting can be assigned a password that must be entered when joining. Secondly, a lobby mode can be activated, which first adds joining users to a lobby, from where they can then be added to the meeting by a user with moderation permissions.

Continue reading “Vulnerability in Jitsi Meet: Meeting Password Disclosure affecting Meetings with Lobbies”

Continue reading