| タイトル | xuxueli https://github.com/xuxueli/xxl-job v3.3.2 Authorization Bypass |
|---|
| 説明 | An Insecure Direct Object Reference (IDOR) vulnerability exists in xxl-job-admin/joblog/logDetailCat. Any authenticated user who can obtain or guess a valid logId can read execution log content belonging to job groups they are not authorized to access.
Unlike the adjacent log detail page, the JSON log-reading endpoint does not enforce job-group authorization before returning log content. This leads to unauthorized disclosure of job execution logs, which may contain sensitive business parameters, internal network addresses, stack traces, operational metadata, and secrets written by jobs during execution. |
|---|
| ソース | ⚠️ https://github.com/xuxueli/xxl-job/issues/3936 |
|---|
| ユーザー | larlarua (UID 97278) |
|---|
| 送信 | 2026年04月12日 11:29 (2 月 ago) |
|---|
| モデレーション | 2026年04月28日 13:45 (16 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 359959 [Xuxueli xxl-job 迄 3.3.2 Execution Log JobLogController.java logDetailCat logId 特権昇格] |
|---|
| ポイント | 20 |
|---|