CVE-2022-31044 is a vulnerability affecting Rundeck versions 4.2.0 and 4.2.1, an open-source automation platform widely used for orchestration and job scheduling via a web console, CLI, and WebAPI. The issue arises from improper enabling of the Key Storage converter plugin mechanism, which is responsible for encrypting credentials stored within Rundeck's backend storage. Due to this misconfiguration, credentials created or overwritten in these specific versions may be stored in plaintext rather than being encrypted. This vulnerability specifically impacts users employing any Storage Converter plugin, which is designed to handle encryption and decryption of stored secrets. While version 4.3.0 does not contain the vulnerability, it lacks the remediation to re-encrypt any plaintext credentials that were stored by the vulnerable versions. The fix was introduced in versions 4.2.2 and 4.3.1, which both enable proper encryption and re-encrypt any previously stored plaintext credentials upon upgrade. As a temporary mitigation, administrators can disable write access to key storage via Access Control Lists (ACLs) to prevent new plaintext credentials from being stored. After upgrading to a patched version, write access can be safely restored. This vulnerability falls under CWE-256 (plaintext storage of a password) and CWE-522 (insufficiently protected credentials), highlighting the risk of credential exposure due to improper encryption. No known exploits have been reported in the wild, but the risk remains significant given the sensitive nature of stored credentials in automation platforms like Rundeck.

For European organizations, the plaintext storage of credentials in Rundeck can lead to serious confidentiality breaches. Attackers who gain access to the Rundeck backend storage or backups could retrieve sensitive passwords or API keys in cleartext, enabling lateral movement, privilege escalation, or unauthorized access to critical infrastructure and services automated by Rundeck. This risk is particularly acute for organizations relying heavily on Rundeck for managing IT operations, DevOps pipelines, or cloud orchestration, as compromised credentials could undermine the integrity and availability of automated workflows. Additionally, exposure of credentials may violate data protection regulations such as GDPR if personal data or critical infrastructure is involved, potentially resulting in legal and financial penalties. The vulnerability does not require user interaction but does require write access to the key storage to create or overwrite credentials in plaintext, which means insider threats or attackers with partial access could exploit it. The scope is limited to Rundeck installations running affected versions, but given Rundeck's adoption in sectors like finance, manufacturing, and government across Europe, the impact could be widespread if not addressed promptly.

1. Immediate Upgrade: Organizations should upgrade all Rundeck instances from versions 4.2.0 and 4.2.1 to at least 4.2.2 or 4.3.1 to ensure the encryption mechanism is properly enabled and plaintext credentials are re-encrypted. 2. ACL Enforcement: Until upgrades are complete, restrict write access to the key storage via ACLs to prevent new plaintext credentials from being stored. 3. Credential Audit: Conduct a thorough audit of stored credentials in Rundeck to identify any that may have been stored in plaintext and rotate those credentials immediately. 4. Access Controls: Harden access to Rundeck backend storage and backups by enforcing strict access controls, network segmentation, and monitoring to detect unauthorized access attempts. 5. Monitoring and Logging: Enable detailed logging and monitoring of Rundeck key storage access and credential changes to detect suspicious activity early. 6. Backup Security: Ensure backups of Rundeck data are encrypted and access-controlled to prevent credential leakage. 7. Vendor Communication: Stay updated with Rundeck vendor advisories for any further patches or mitigation guidance. These steps go beyond generic advice by focusing on credential rotation, access control hardening, and audit processes specific to the vulnerability's nature.