Xuxueli XXL-Job Insecure Direct Object Reference Vulnerability in Job Deletion Function

An Insecure Direct Object Reference (IDOR) vulnerability exists in Xuxueli XXL-Job versions through 3.1.1. The issue is located in the JobInfoController's remove function, where improper validation of resource identifiers allows authenticated but unauthorized users to delete jobs they do not have permission to manage. This vulnerability could lead to privilege escalation and unauthorized operations.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of jobs, potentially disrupting scheduled tasks and business operations. Additionally, it could escalate privileges by exploiting the lack of proper access control.

Reproduction

To reproduce this vulnerability, log into the application as a user without assigned job groups. Navigate to the job deletion endpoint and send a request with an enumerated job ID. The absence of proper access controls will allow the deletion of jobs outside of the user's assigned groups.

Remediation

It is recommended to apply the PermissionInterceptor.validJobGroupPermission method to the /xxl-job-admin/jobinfo/remove route to enforce proper group-level authorization checks.