SB2023032411 - Multuiple vulnerabilities in xxl-job

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2022-43183)

The disclosed vulnerability allows a remote user to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input with "/admin/controller/JobLogController.java". A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

2) Improper access control (CVE-ID: CVE-2022-36157)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and gain unauthorized access to administrative functionality.

Remediation

Install update from vendor's website.

References

• https://github.com/xuxueli/xxl-job/issues/3002
• https://github.com/xuxueli/xxl-job/releases/tag/2.4.0
• https://github.com/Richard-Muzi/vulnerability/issues/1