Xuxueli XXL-Job Server-Side Request Forgery Vulnerability in Job Trigger Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in Xuxueli XXL-Job versions through 3.3.2. The issue resides in the Job Trigger function of the XxlJobServiceImpl class within the XXL-Job Admin component. This vulnerability allows low-privileged users to manipulate the addressList parameter when manually triggering jobs, causing the server to send requests to attacker-controlled destinations. The exploitation of this vulnerability could lead to unauthorized access to internal HTTP services, exfiltration of sensitive job-related data, and misuse of platform credentials.

Impact

Exploitation of this vulnerability allows for server-side access to arbitrary HTTP targets reachable from the admin server. This could include internal services not exposed to the public, potentially leading to unauthorized data access or manipulation. Additionally, the vulnerability allows for the leakage of the XXL-JOB-ACCESS-TOKEN, which could be used to invoke administrative actions such as modifying executor statuses or managing job executions.

Reproduction

To reproduce this vulnerability, an authenticated user with permission over a job group can manually trigger a job through the XXL-JOB Admin interface. During this process, the user can supply an arbitrary addressList value, which will override the default executor addresses for the job. Once the job is triggered, the admin server will send a request to the specified address, including sensitive job execution metadata.

Remediation

Users are advised to update to version 3.4.1 or later, where this vulnerability has been addressed. For those unable to update, it is recommended to disable the manual triggering of jobs or to implement strict validation of the addressList parameter to ensure it only includes trusted, whitelisted URLs.