Skip to content

Latest commit

 

History

History
16 lines (13 loc) · 1.29 KB

File metadata and controls

16 lines (13 loc) · 1.29 KB

xxl-job-lateral-privilege-escalation-vulnerability

xxl-job lateral privilege escalation vulnerability

[Preconditions]

Deploy the xxl-job2.4.1 dispatch center environment and an executor sample, preset two accounts, user A and user B set different executor permissions.

[Process of lateral-privilege-escalation-vulnerability]

User A can visit user B's executor-tasks by modifying the request parameters(Post body) in the interface '/jobinfo/pageList'.

User A can add tasks to user B's executor by modifying the request parameters(Post body) in the interface '/jobinfo/add'.

User A can update user B's executor-tasks by modifying the request parameters(Post body) in the interface '/jobinfo/update'.

User A can delete tasks of user B's executor by modifying the request parameters(Post body) in the interface '/jobinfo/remove'.

User A can stop user B's executor-tasks by modifying the request parameters(Post body) in the interface '/jobinfo/stop'.

User A can trigger user B's executor-tasks by modifying the request parameters(Post body) in the interface '/jobinfo/trigger'.

as well as /jobinfo/start,/jobinfo/nextTriggerTime. image