CVE-2023-36106

Vulnerability

Description

CVE-2023-36106 is an incorrect access control vulnerability in the distributed task scheduling and computing framework PowerJob, affecting versions 4.3.2 and earlier. The vulnerability exists in the /container/list endpoint, which does not properly enforce authorization checks when handling the appId parameter. As a result, an unauthenticated remote attacker can query container information without any valid credentials or session tokens.[2][3]

Exploitation

Exploitation is straightforward and requires no authentication. An attacker simply sends a crafted HTTP request to the /container/list interface, supplying a valid or enumerated appId value as a parameter. The application processes the request and returns the corresponding container details without verifying the requestor's identity or permissions. This means any remote user who can reach the vulnerable API endpoint can leverage it to extract data.[3]

Impact

The impact is the unauthenticated disclosure of sensitive information related to containers. An attacker can enumerate application IDs and retrieve metadata, configuration details, or other internal data exposed through the container list API. This information leakage could facilitate further attacks or expose business-critical configurations, undermining the security of the deployment.[2][3]

Mitigation

As of the publication date, PowerJob users should upgrade to a version newer than 4.3.2 where the access control issue is addressed. No workarounds are detailed in the available references. The project source code is hosted on Gitee and may include patches in later releases.[1][2]