CVE-2022-36157
Description
XXL-JOB all versions as of 11 July 2022 are vulnerable to Insecure Permissions resulting in the ability to execute admin function with low Privilege account.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XXL-JOB all versions up to July 2022 have insecure permissions allowing low-privileged users to access admin functions via URL manipulation.
Vulnerability
Overview XXL-JOB, a distributed task scheduling framework, suffers from insecure permissions in all versions as of July 11, 2022 [1]. The vulnerability allows users with low-privilege accounts to access administrative functionality that should be restricted.
Exploitation
An attacker can exploit this by first logging in with a low-privilege account. By appending "/jobgroup" to the URL, they gain access to the "Executor management" function, which is normally only available to admin users [4]. No additional authentication or network position is required beyond having a low-privilege account.
Impact
Successful exploitation enables a low-privilege user to execute admin functions, potentially leading to unauthorized task management, configuration changes, and further privilege escalation.
Mitigation
The issue was patched in commit 730c1066b80e8ab44503ed34ced19ef8e0471fec [2], included in version 2.4.0 [3]. Users should upgrade to the latest version to remediate the vulnerability.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.xuxueli:xxl-jobMaven | < 2.4.0 | 2.4.0 |
Affected products
2- XXL-JOB/XXL-JOBdescription
Patches
12 files changed · +15 −5
doc/XXL-JOB官方文档.md+8 −5 modified@@ -2303,11 +2303,9 @@ public void execute() { ### 7.33 版本 v2.4.0 Release Notes[规划中] - 1、【优化】执行器任务Bean扫描逻辑优化:解决懒加载注解失效问题。 -- 2、【优化】[规划中]任务日志重构:一次调度只记录一条主任务,维护起止时间和状态。 - - 普通任务:只记录一条主任务; - - 广播任务:记录一条主任务,每个分片任务记录一条次任务,关联在主任务上; - - 重试任务:失败时,新增主任务。所有调度记录,包括入口调度和重试调度,均挂载主任务上。 -- 3、【优化】[规划中]分片任务:全部完成后才会出发后置节点; +- 2、【优化】多个项目依赖升级至较新稳定版本,涉及netty、groovy、spring、springboot、mybatis等; +- 3、【修复】"CVE-2022-36157"授权漏洞修复。 + ### 7.34 新版本规划 [规划中] - 1、[规划中]DAG流程任务 @@ -2317,6 +2315,11 @@ public void execute() { - 3、[规划中]告警增强:邮件告警 + webhook告警; - 4、[规划中]安全强化:AccessToken动态生成、动态启停;控制调度、回调; - 5、[规划中]任务导入导出工具,灵活支持版本升级、迁移等场景。 +- 6、【优化】[规划中]任务日志重构:一次调度只记录一条主任务,维护起止时间和状态。 + - 普通任务:只记录一条主任务; + - 广播任务:记录一条主任务,每个分片任务记录一条次任务,关联在主任务上; + - 重试任务:失败时,新增主任务。所有调度记录,包括入口调度和重试调度,均挂载主任务上。 +- 7、【优化】[规划中]分片任务:全部完成后才会出发后置节点; ### TODO LIST - 1、任务分片路由:分片采用一致性Hash算法计算出尽量稳定的分片顺序,即使注册机器存在波动也不会引起分批分片顺序大的波动;目前采用IP自然排序,可以满足需求,待定;
xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobGroupController.java+7 −0 modified@@ -1,5 +1,6 @@ package com.xxl.job.admin.controller; +import com.xxl.job.admin.controller.annotation.PermissionLimit; import com.xxl.job.admin.core.model.XxlJobGroup; import com.xxl.job.admin.core.model.XxlJobRegistry; import com.xxl.job.admin.core.util.I18nUtil; @@ -34,12 +35,14 @@ public class JobGroupController { private XxlJobRegistryDao xxlJobRegistryDao; @RequestMapping + @PermissionLimit(adminuser = true) public String index(Model model) { return "jobgroup/jobgroup.index"; } @RequestMapping("/pageList") @ResponseBody + @PermissionLimit(adminuser = true) public Map<String, Object> pageList(HttpServletRequest request, @RequestParam(required = false, defaultValue = "0") int start, @RequestParam(required = false, defaultValue = "10") int length, @@ -59,6 +62,7 @@ public Map<String, Object> pageList(HttpServletRequest request, @RequestMapping("/save") @ResponseBody + @PermissionLimit(adminuser = true) public ReturnT<String> save(XxlJobGroup xxlJobGroup){ // valid @@ -102,6 +106,7 @@ public ReturnT<String> save(XxlJobGroup xxlJobGroup){ @RequestMapping("/update") @ResponseBody + @PermissionLimit(adminuser = true) public ReturnT<String> update(XxlJobGroup xxlJobGroup){ // valid if (xxlJobGroup.getAppname()==null || xxlJobGroup.getAppname().trim().length()==0) { @@ -170,6 +175,7 @@ private List<String> findRegistryByAppName(String appnameParam){ @RequestMapping("/remove") @ResponseBody + @PermissionLimit(adminuser = true) public ReturnT<String> remove(int id){ // valid @@ -189,6 +195,7 @@ public ReturnT<String> remove(int id){ @RequestMapping("/loadById") @ResponseBody + @PermissionLimit(adminuser = true) public ReturnT<XxlJobGroup> loadById(int id){ XxlJobGroup jobGroup = xxlJobGroupDao.load(id); return jobGroup!=null?new ReturnT<XxlJobGroup>(jobGroup):new ReturnT<XxlJobGroup>(ReturnT.FAIL_CODE, null);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-7qq9-9g2w-56f9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36157ghsaADVISORY
- github.com/Richard-Muzi/vulnerability/issues/1ghsax_refsource_MISCWEB
- github.com/xuxueli/xxl-job/commit/730c1066b80e8ab44503ed34ced19ef8e0471fecghsaWEB
News mentions
0No linked articles in our index yet.