CVE-2021-41112 is a security vulnerability classified under CWE-862 (Missing Authorization) affecting Rundeck, an open-source automation service widely used for orchestrating scheduled jobs via a web console, command line tools, and WebAPI. The vulnerability exists in Rundeck versions prior to 3.4.5 and allows any authenticated user to craft specially designed requests to modify or delete System or Project level Calendars without proper authorization checks. Calendars in Rundeck define specific days on which scheduled jobs should or should not run. By exploiting this flaw, an attacker with valid authentication can alter calendar configurations, potentially causing scheduled jobs to execute on unintended days or fail to execute on intended days. The impact of this vulnerability is context-dependent, relying heavily on the trust level of the authenticated user and the criticality of the scheduled jobs governed by these calendars. For example, if critical operational or security tasks are scheduled based on these calendars, their disruption could lead to operational outages, security lapses, or data integrity issues. The vulnerability was patched in Rundeck version 3.4.5, but no known workarounds exist for affected versions. There are no reports of active exploitation in the wild, but the vulnerability poses a risk in environments where multiple users have authenticated access to Rundeck and where calendar-based scheduling is integral to operations.

For European organizations, the impact of CVE-2021-41112 can be significant, especially in sectors relying heavily on automation for critical infrastructure, IT operations, or business processes. Disruption or manipulation of scheduled jobs could lead to missed maintenance windows, delayed security updates, or failure to execute compliance-related tasks, potentially resulting in operational downtime, regulatory non-compliance, or security incidents. Organizations with multi-user Rundeck deployments where users have varying trust levels are particularly at risk, as lower-privileged users could escalate their influence by altering calendar configurations. This could affect industries such as finance, manufacturing, energy, and public sector entities that use Rundeck for automation. Additionally, the lack of authorization checks could undermine internal security policies and audit controls. Although no active exploits are known, the vulnerability's presence in open-source software with a web interface increases the attack surface, especially if exposed to internal or external networks without proper segmentation.

To mitigate this vulnerability, European organizations should prioritize upgrading Rundeck installations to version 3.4.5 or later, where the authorization checks have been properly implemented. Until upgrades can be performed, organizations should restrict authenticated access to Rundeck to trusted users only and enforce strict role-based access controls to limit who can modify calendar configurations. Network segmentation and firewall rules should be applied to limit access to Rundeck’s web console and API endpoints. Monitoring and logging of calendar modification activities should be enhanced to detect unauthorized changes promptly. Additionally, organizations should review scheduled job dependencies on calendars and implement secondary verification or alerting mechanisms for critical jobs. Regular audits of user permissions and scheduled job configurations can help identify potential misuse. Since no workarounds exist, patching remains the most effective defense. Finally, organizations should educate users about the risks of unauthorized calendar modifications and incorporate this vulnerability into their incident response planning.