xxl-job-lateral-privilege-escalation-vulnerability
xxl-job lateral privilege escalation vulnerability
Deploy the xxl-job2.4.1 dispatch center environment and an executor sample, preset two accounts, user A and user B set different executor permissions.
[Process of lateral-privilege-escalation-vulnerability]
User A can visit user B's executor-tasks by modifying the request parameters(Post body) in the interface '/jobinfo/pageList'.
User A can add tasks to user B's executor by modifying the request parameters(Post body) in the interface '/jobinfo/add'.
User A can update user B's executor-tasks by modifying the request parameters(Post body) in the interface '/jobinfo/update'.
User A can delete tasks of user B's executor by modifying the request parameters(Post body) in the interface '/jobinfo/remove'.
User A can stop user B's executor-tasks by modifying the request parameters(Post body) in the interface '/jobinfo/stop'.
User A can trigger user B's executor-tasks by modifying the request parameters(Post body) in the interface '/jobinfo/trigger'.
as well as /jobinfo/start,/jobinfo/nextTriggerTime.