I. Overview

Recently, we detected that XXL-JOB has an unauthorized access vulnerability. XXL-JOB is a distributed task scheduling platform. By default, XXL-JOB does not have authentication configuration. Attackers can send malicious requests to trigger remote code execution without authorization.

If you are an XXL-JOB user, check your service and implement timely security hardening.

References:

https://www.xuxueli.com/xxl-job/

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

XXL-JOB 2.2.0 and earlier versions

IV. Vulnerability Handling

Add the xxl.job.accessToken parameter to the application.properties file of the project to implement authentication.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.