CVE-2023-33779

Vulnerability

Overview

XXL-Job v2.4.1, a distributed task scheduling framework [1], contains a lateral privilege escalation vulnerability in its /jobinfo/ endpoints. The root cause is insufficient authorization checks: the application fails to verify that a user has permission to access or modify tasks belonging to another user's executor. This allows an authenticated user to manipulate POST request parameters to interact with tasks on any executor in the system [3].

Exploitation

An attacker must have a valid account on the XXL-Job dispatch center. By sending crafted POST requests to endpoints such as /jobinfo/pageList, /jobinfo/add, /jobinfo/update, /jobinfo/remove, /jobinfo/stop, and /jobinfo/trigger, the attacker can modify the jobGroup or other parameters to target a different user's executor [3]. No additional privileges are required beyond basic authentication.

Impact

Successful exploitation enables the attacker to view, create, modify, delete, stop, or trigger tasks on another user's executor. Since tasks can execute arbitrary commands on the executor, this effectively grants the attacker remote code execution on the victim's executor, leading to lateral movement and potential compromise of the entire scheduling environment [3].

Mitigation

As of the CVE publication date (2023-05-26), no official patch has been released. Administrators should restrict network access to the dispatch center, enforce strong authentication, and implement additional authorization controls at the application or network level until a fix is available.