XXL-Job Insecure Direct Object Reference Vulnerability in Log Detail Function Allows Unauthorized Log Access

A vulnerability allowing unauthorized access to execution logs has been identified in XXL-Job versions through 3.3.2. The issue arises in the 'logDetailCat' function of the 'JobLogController' component, where the 'logId' parameter is not properly validated against job group permissions. This flaw enables authenticated users to access log details from job groups they do not have authorization for, potentially exposing sensitive information such as business parameters, internal network addresses, stack traces, and secrets logged by jobs during execution.

Impact

Exploitation of this vulnerability leads to unauthorized access to execution logs across different job groups, allowing sensitive information to be disclosed. This includes internal hostnames, stack traces, job parameters, and any credentials or tokens that jobs may have printed into the logs. Such access could also reveal details about the organization's internal infrastructure and downstream systems, increasing the overall attack surface.

Reproduction

To reproduce this vulnerability, an authenticated user can request log details using the 'logDetailCat' interface, providing a valid 'logId' that they are not authorized to access. This can be done by guessing or enumerating 'logId' values. The absence of proper authorization checks on this endpoint allows the user to bypass job group restrictions and access logs from other groups.

Remediation

Users are advised to upgrade to XXL-Job version 3.4.0, where this vulnerability has been addressed. After upgrading, ensure that the 'logDetailCat' function properly checks job group permissions before returning log details.