Login Sign Up

CVE-2023-27087

7.5 HIGH

📋 TL;DR

A permissions vulnerability in Xuxueli xxl-job versions 2.2.0, 2.3.0, and 2.3.1 allows attackers to obtain sensitive information via the pageList parameter. This affects organizations using these vulnerable versions of the distributed task scheduling framework. Attackers can exploit this to access unauthorized data.

💻 Affected Systems

Products:
  • Xuxueli xxl-job
Versions: 2.2.0, 2.3.0, 2.3.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all deployments of these versions regardless of configuration.

📦 What is this software?

Xxl Job by Xuxueli

View all CVEs affecting Xxl Job →

Xxl Job by Xuxueli

View all CVEs affecting Xxl Job →

Xxl Job by Xuxueli

View all CVEs affecting Xxl Job →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete exposure of sensitive job data, configuration details, and potentially credentials stored in the system, leading to full system compromise.

🟠

Likely Case

Unauthorized access to job execution logs, configuration parameters, and system information that could facilitate further attacks.

🟢

If Mitigated

Limited information disclosure with proper access controls and network segmentation in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires some level of access but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.0

Vendor Advisory: https://github.com/xuxueli/xxl-job/issues/3096

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download xxl-job version 2.4.0 or later from official repository. 3. Replace vulnerable files with patched version. 4. Restart the xxl-job service. 5. Verify functionality.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to xxl-job admin interface to trusted IP addresses only.

iptables -A INPUT -p tcp --dport [xxl-job-port] -s [trusted-ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [xxl-job-port] -j DROP

Authentication Enhancement

all

Implement additional authentication layers or rate limiting on the admin interface.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate xxl-job instances from untrusted networks.
  • Enable detailed logging and monitoring for unauthorized access attempts to the pageList parameter.

🔍 How to Verify

Check if Vulnerable:

Check the xxl-job version in the admin interface or configuration files. If version is 2.2.0, 2.3.0, or 2.3.1, the system is vulnerable.

Check Version:

grep -r 'version' xxl-job-admin/src/main/resources/application.properties

Verify Fix Applied:

After patching, verify the version shows 2.4.0 or later in the admin interface and test that sensitive information is no longer accessible via pageList parameter.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to pageList parameter
  • Multiple failed authentication attempts followed by successful pageList access

Network Indicators:

  • Unusual traffic to xxl-job admin interface from unexpected sources

SIEM Query:

source="xxl-job" AND (uri="*pageList*" OR parameter="pageList")

📊 Metadata

CVE ID: CVE-2023-27087
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-280
Published: March 21, 2023
Last Updated: February 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27087, you might also want to check these:

CVE-2025-46066 9.9

A privilege escalation vulnerability in Automai Director v.25.2.0 allows remote attackers to gain el...

Same vulnerability type (CWE-280)
CVE-2024-25108 9.9

This CVE describes an authorization bypass vulnerability in Pixelfed that allows attackers to access...

Same vulnerability type (CWE-280)
CVE-2024-24116 9.8

A privilege escalation vulnerability in Ruijie RG-NBS2009G-P switches allows remote attackers to gai...

Same vulnerability type (CWE-280)