Xuxueli XXL-Job Unauthenticated Privileged OpenAPI Access Vulnerability

A vulnerability in Xuxueli XXL-Job versions through 3.3.2 allows unauthenticated access to privileged OpenAPI endpoints. The issue arises because the application ships with a default access token, 'default_token', which is not changed before deployment. This default token is used to authorize access to management operations such as registering executors, removing registrations, and submitting task execution callbacks. The vulnerability can be exploited remotely, but requires a high level of complexity.

Impact

Exploitation of this vulnerability allows for unauthorized access to management APIs, impersonation of executors by registering malicious endpoints, removal of legitimate executor registrations, and manipulation of task execution states, including forging callbacks to trigger downstream jobs.

Reproduction

To reproduce this vulnerability, deploy Xuxueli XXL-Job without changing the default access token. Once the application is running, the OpenAPI endpoints can be accessed without authentication by using the 'default_token' in the 'XXL-JOB-ACCESS-TOKEN' header. This allows for the invocation of privileged operations such as 'registry', 'registryRemove', and 'callback'.

Remediation

Users are advised to change the default access token to a strong, random value before deploying the application. XXL-Job should not be started with the access token set to 'default_token'. Additionally, the OpenAPI management operations should not rely solely on a static shared token for authorization.