CVE-2023-29923
Description
PowerJob V4.3.1 has an insecure permission vulnerability allowing unauthorized viewing of job information via the /job/list interface.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PowerJob V4.3.1 has an insecure permission vulnerability allowing unauthorized viewing of job information via the /job/list interface.
Vulnerability
Overview CVE-2023-29923 describes an insecure permissions vulnerability in PowerJob V4.3.1, an enterprise job scheduling middleware. The issue resides in the /job/list interface, which fails to properly enforce access controls. An attacker can manipulate the appId parameter in a POST request to view job details belonging to any application, bypassing intended authorization checks [1][3].
Exploitation
Details Exploitation requires network access to the PowerJob server and the ability to send HTTP POST requests to the /job/list endpoint. No authentication is required, as the vulnerability allows unauthenticated users to enumerate job information by simply altering the appId value in the JSON payload [3]. The proof-of-concept demonstrates that an attacker can retrieve data from arbitrary applications by crafting requests like {"appId":1,"index":0,"pageSize":10} [3].
Impact
An attacker can list jobs for any application managed by PowerJob, potentially leaking sensitive information about scheduled tasks, execution parameters, and application configurations. This exposure could aid in further attacks, such as understanding system topology or identifying vulnerable jobs to manipulate [1].
Mitigation
Status As of the published CVE date (April 2023), PowerJob V4.3.1 is affected. Users should upgrade to a patched version or apply security controls such as network segmentation or authentication enforcement at the API gateway [1][2]. The issue was reported via the project's GitHub issue tracker, indicating the development team has been notified [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tech.powerjob:powerjobMaven | <= 4.3.1 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check on the `/job/list` endpoint allows any user to list jobs of any application by simply supplying an `appId` parameter."
Attack vector
An attacker sends a POST request to `/job/list` with a crafted JSON body containing an `appId` parameter, such as `{"appId":1,"index":0,"pageSize":10}`. The server does not verify that the requester is authorized to access the specified application's job list, allowing any unauthenticated or unauthorized user to enumerate jobs across any application [ref_id=1]. This is an insecure default permission issue [CWE-276].
Affected code
The issue is in the `/job/list` API endpoint of PowerJob V4.3.1. The advisory does not specify a particular source file or function, but the endpoint accepts a POST request with an `appId` parameter that is not properly authorized [ref_id=1].
What the fix does
No patch is published in the bundle. The advisory [ref_id=1] reports the vulnerability as an unauthorized access issue in the `/job/list` endpoint. The expected remediation would be to enforce proper authentication and authorization checks on the `appId` parameter before returning job data, ensuring users can only list jobs for applications they are permitted to access.
Preconditions
- networkThe PowerJob server must have the /job/list endpoint exposed and accessible over the network.
- authNo authentication or authorization token is required by the advisory; the attacker can send the request without any credentials.
Reproduction
Send a POST request to `http://
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-5c86-gpvc-fp53ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-29923ghsaADVISORY
- github.com/PowerJob/PowerJob/issues/587ghsaWEB
News mentions
0No linked articles in our index yet.