CVE-2023-29921
Description
CVE-2023-29921: PowerJob V4.3.1 app creation endpoint lacks access control, allowing unauthenticated attackers to create arbitrary applications.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-29921: PowerJob V4.3.1 app creation endpoint lacks access control, allowing unauthenticated attackers to create arbitrary applications.
Vulnerability
Description CVE-2023-29921 is an incorrect access control vulnerability in PowerJob V4.3.1, an open-source distributed job scheduling framework. The /appInfo/save interface lacks authentication, allowing any unauthenticated user to create new application entries by simply sending a POST request with an application name and password [1][3].
Exploitation
The attack requires no authentication or special privileges. An attacker can send a crafted HTTP POST request to /appInfo/save with JSON payload containing arbitrary appName and password fields. The official issue tracker provides a concrete request example that successfully creates an application without any permission checks [3]. Network access to the PowerJob server (default port 7700) is sufficient.
Impact
Successful exploitation enables an attacker to create arbitrary applications in the PowerJob system. These rogue applications can then be used to log in to the backend with attacker-controlled credentials, potentially leading to unauthorized job scheduling, monitoring, and manipulation of distributed tasks. This could result in execution of arbitrary code on worker nodes or disruption of business-critical scheduled jobs.
Mitigation
As of the advisory publication, PowerJob V4.3.1 is affected. The vendor has been notified via the GitHub issue tracker [3]. Users should apply any patches made available by the PowerJob team or restrict network access to the /appInfo/save endpoint via firewall rules or reverse proxy configurations until an official fix is released.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tech.powerjob:powerjobMaven | <= 4.3.6 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing access control on the `/appInfo/save` interface allows unauthenticated app creation."
Attack vector
An attacker sends a POST request to `/appInfo/save` with a JSON body containing `appName` and `password` fields, without any authentication token or session [ref_id=1]. The server processes the request and creates a new application record. The attacker can then log in to the backend using the credentials they supplied, gaining unauthorized access to the system [ref_id=1].
Affected code
The `/appInfo/save` interface in PowerJob V4.3.1 lacks access control checks, allowing unauthenticated requests to create new application entries [ref_id=1].
What the fix does
The advisory does not include a patch or official remediation. The reporter describes the issue as an unauthorized access vulnerability on the `/appInfo/save` interface, which should require authentication before allowing app creation [ref_id=1]. No fix has been published in the referenced issue.
Preconditions
- networkThe PowerJob server must have the /appInfo/save endpoint exposed and accessible over the network.
- authNo authentication token or session is required; the endpoint accepts unauthenticated POST requests.
Reproduction
Send a POST request to `/appInfo/save` with a JSON body `{"appName":"test","password":"test"}`. The server creates a new application without requiring any permissions. Then log in to the backend using the created credentials [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-mpvf-6h9g-2hq2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-29921ghsaADVISORY
- github.com/PowerJob/PowerJob/issues/586ghsaWEB
News mentions
0No linked articles in our index yet.