Lucene search

Veracode Vulnerability DatabaseVERACODE:46293

HistoryApr 09, 2024 - 9:42 a.m.

Remote Code Execution (RCE)

2024-04-0909:42:00

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

remote code execution

vulnerability

template injection

com.xuxueli:xxl-job-core

CVSS2

2.7

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:A/AC:L/Au:S/C:N/I:P/A:N

CVSS3

3.5

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

7.4

Confidence

High

EPSS

Percentile

15.5%

JSON

com.xuxueli:xxl-job-core is vulnerable to Template Injection. The vulnerability is due a lack of sanitization in the deserialize() method within com/xxl/job/core/util/JdkSerializeTool.java. This allows an attacker to provide a manipulated byte array containing a malicious object for deserialization, leading to Remote Code Execution.

References

github.com/advisories/GHSA-2v42-xp3j-47m4

github.com/xuxueli/xxl-job/blob/master/xxl-job-core/src/main/java/com/xxl/job/core/util/JdkSerializeTool.java#L53

github.com/xuxueli/xxl-job/issues/3391

vuldb.com/?ctiid.259480

vuldb.com/?id.259480

vuldb.com/?submit.308180

CVSS2

2.7

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:A/AC:L/Au:S/C:N/I:P/A:N

CVSS3

3.5

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

7.4

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for VERACODE:46293