Login Sign Up

CVE-2023-37754

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

PowerJob v4.3.3 contains a remote command execution vulnerability in the instanceId parameter at the /instance/detail endpoint. This allows unauthenticated attackers to execute arbitrary commands on affected systems. Any organization running vulnerable PowerJob versions is affected.

💻 Affected Systems

Products:
  • PowerJob
Versions: v4.3.3 and potentially earlier versions
Operating Systems: All platforms running PowerJob
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default configuration and requires no special setup to be exploitable.

📦 What is this software?

Powerjob by Powerjob

View all CVEs affecting Powerjob →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, lateral movement across networks, and persistent backdoor installation.

🟠

Likely Case

Initial foothold for attackers to deploy cryptocurrency miners, establish command and control channels, or exfiltrate sensitive data.

🟢

If Mitigated

Limited impact due to network segmentation, proper access controls, and monitoring that detects exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending a crafted HTTP request to the vulnerable endpoint with malicious instanceId parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.3.4 or later

Vendor Advisory: https://github.com/PowerJob/PowerJob/issues/675

Restart Required: Yes

Instructions:

1. Backup current PowerJob installation and data. 2. Download latest version from GitHub. 3. Stop PowerJob service. 4. Replace files with patched version. 5. Restart PowerJob service. 6. Verify functionality.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to PowerJob web interface using firewall rules

iptables -A INPUT -p tcp --dport 7700 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 7700 -j DROP

Reverse Proxy with Input Validation

all

Deploy a reverse proxy that validates and sanitizes instanceId parameter

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate PowerJob instances
  • Deploy web application firewall with RCE protection rules

🔍 How to Verify

Check if Vulnerable:

Check PowerJob version via web interface or configuration files. If version is 4.3.3 or earlier, assume vulnerable.

Check Version:

Check application.properties or web interface for version information

Verify Fix Applied:

Verify version is 4.3.4 or later and test that crafted instanceId parameters are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual instanceId parameter values in access logs
  • Suspicious command execution patterns in system logs
  • Multiple failed exploitation attempts

Network Indicators:

  • HTTP requests to /instance/detail with unusual instanceId parameters
  • Outbound connections from PowerJob server to unknown destinations

SIEM Query:

source="powerjob_access.log" AND uri="/instance/detail" AND (instanceId CONTAINS "|" OR instanceId CONTAINS "$" OR instanceId CONTAINS "(")

📊 Metadata

CVE ID: CVE-2023-37754
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: July 28, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON