CVE-2023-29922
Description
PowerJob V4.3.1's /user/save interface lacks access control, allowing unauthenticated attackers to create arbitrary users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PowerJob V4.3.1's /user/save interface lacks access control, allowing unauthenticated attackers to create arbitrary users.
Vulnerability
Overview
CVE-2023-29922 describes an incorrect access control vulnerability in PowerJob V4.3.1, specifically in the /user/save interface. The issue stems from a lack of authentication or authorization checks on this endpoint, which is meant to be used for user creation. The official advisory indicates that the interface does not verify whether the requester has the necessary permissions to create new users, effectively leaving the endpoint open to unauthenticated requests [1][3].
Exploitation
Details
An attacker can exploit this vulnerability by sending a crafted HTTP POST request to the /user/save endpoint with a JSON payload containing user details (username, phone, email, webHook). The request does not require any authentication token or session, as demonstrated in the bug report where a simple POST request successfully creates a user without any permissions [3]. The attack surface is broadened because PowerJob is an enterprise job scheduling framework with a web UI, and the vulnerable endpoint is exposed on the default HTTP port (7700) [2][3].
Impact
Successful exploitation allows an attacker to create arbitrary user accounts within PowerJob. With a newly created account, the attacker gains access to the job scheduling platform, potentially enabling them to perform privileged actions such as creating or modifying scheduled tasks, viewing or modifying job configurations, and accessing sensitive execution logs. This could lead to further compromise of the underlying system if malicious tasks are executed [1][2].
Mitigation
Status
As of the publication date, the vulnerability was reported in PowerJob V4.3.1. Users are advised to apply any patches provided by the maintainers. The issue was reported via the project's GitHub issues page, and users should monitor the repository for updates or apply workarounds such as restricting network access to the vulnerable endpoint [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tech.powerjob:powerjobMaven | <= 4.3.9 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing access control on the /user/save interface allows unauthenticated user creation."
Attack vector
An attacker sends a POST request to `/user/save` with a JSON body containing user fields such as username, phone, email, and webHook [ref_id=1]. No authentication or authorization token is required, so any remote attacker who can reach the PowerJob server can create arbitrary user accounts [CWE-284].
Affected code
The `/user/save` interface in PowerJob V4.3.1 lacks access control checks, allowing unauthenticated user creation [ref_id=1].
What the fix does
The advisory does not include a patch or official fix [ref_id=1]. Remediation would require adding authentication and authorization checks to the `/user/save` endpoint so that only authenticated administrators can create new users [CWE-284].
Preconditions
- networkAttacker must have network access to the PowerJob server on the port where the /user/save endpoint is exposed (e.g., port 7700).
- authNo authentication or session token is required.
Reproduction
Send the following HTTP request to the PowerJob server:
``` POST /user/save HTTP/1.1 Host: test.cn:7700 Content-Length: 111 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.69 Content-Type: application/json;charset=UTF-8 Origin: http://test.cn:7700 Referer: http://test.cn:7700/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Connection: close
{"username":"test","phone":"test","email":"test","webHook":"test"} ```
The server creates a new user without requiring any permissions [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-c23v-vqw5-52c5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-29922ghsaADVISORY
- github.com/PowerJob/PowerJob/issues/585ghsaWEB
News mentions
0No linked articles in our index yet.