CVE-2024-24113

XXL-JOB, a distributed task scheduling framework, contains a Server-Side Request Forgery (SSRF) vulnerability in versions 2.4.1 and earlier [1]. The flaw resides in the /trigger endpoint of JobInfoController.java, which directly sends requests to user-supplied addresses without validation [3].

A low-privileged user without executor permissions can exploit this by crafting a request to /trigger with an arbitrary addressList parameter pointing to an attacker-controlled server. The XXL-JOB admin server will then send a request containing the XXL-JOB-ACCESS-TOKEN to that server, leaking the token [3].

With the obtained token, the attacker can call any executor and submit arbitrary tasks, leading to remote code execution (RCE) on the executor machines. The attack requires knowledge of a valid job ID, which can be enumerated [3].

As of the publication date, no official patch was available. Users should upgrade to a version beyond 2.4.1 if available, or implement input validation on the addressList parameter to restrict it to known executor addresses [1][3].