CVE-2023-27087

Vulnerability

Overview

CVE-2023-27087 is a permissions vulnerability in the Xuxueli XXL-JOB distributed task scheduling framework, affecting versions 2.2.0, 2.3.0, and 2.3.1 [1][2]. The root cause is insufficient authorization validation on the pageList parameter in the administrative API, which allows an attacker to access sensitive information without proper permissions [3].

Exploitation

An attacker with network access to the XXL-JOB admin interface can exploit this vulnerability by crafting malicious requests that manipulate the pageList parameter. While some level of authentication may be required, the lack of proper permission checks enables a low-privileged user (or potentially an unauthenticated attacker) to enumerate or retrieve sensitive data that should be restricted [3].

Impact

Successful exploitation leads to unauthorized disclosure of sensitive information, such as task configurations, execution logs, or internal system details. This information leakage could be leveraged to plan further attacks or gain deeper access to the system [2][3].

Mitigation

The vulnerability was reported and addressed by the vendor in a subsequent release. Users are strongly advised to upgrade to the latest patched version of XXL-JOB to remediate the issue. No workarounds have been publicly documented [3].