Xuxueli XXL-Job Insecure Direct Object Reference Vulnerability in Job Log Access

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in Xuxueli XXL-Job versions through 3.1.1. This vulnerability allows authenticated but unauthorized users to access job logs from all groups via the 'getJobsByGroup' function in the 'JobLogController.java' file. The issue arises because the access control mechanisms in place do not properly restrict access to job logs based on user permissions, leading to unauthorized information disclosure.

Impact

Exploitation of this vulnerability allows for unauthorized access to job execution logs from all groups, disclosing potentially sensitive operational information.

Reproduction

To reproduce this vulnerability, an authenticated user without assigned job groups can send a request to the '/xxl-job-admin/joblog/getJobsByGroup' endpoint. By manipulating the 'jobGroup' parameter to include IDs from groups not assigned to the user, it is possible to retrieve logs from those groups, bypassing the intended access controls.

Remediation

It is recommended to apply the 'PermissionInterceptor.validJobGroupPermission' method to the '/xxl-job-admin/joblog/getJobsByGroup' route to enforce proper group-level authorization checks.