Login Sign Up

CVE-2023-39017

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2023-39017 is a code injection vulnerability in quartz-jobs 2.3.2 and earlier that could allow remote code execution via the SendQueueMessageJob.execute component. The vulnerability is disputed because it requires untrusted input to reach specific internal code paths, making exploitation unlikely in typical configurations. Organizations using vulnerable versions of quartz-scheduler with custom job implementations could be affected.

💻 Affected Systems

Products:
  • quartz-scheduler
Versions: 2.3.2 and below
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Vulnerability requires custom job implementations that pass untrusted input to SendQueueMessageJob; default configurations are not vulnerable.

📦 What is this software?

Quartz by Softwareag

View all CVEs affecting Quartz →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the quartz-scheduler process, potentially leading to complete system compromise.

🟠

Likely Case

Limited impact due to the disputed nature requiring specific internal code paths; most likely denial of service or application disruption.

🟢

If Mitigated

Minimal impact if proper input validation and security controls prevent untrusted data from reaching vulnerable components.

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploitation requires specific internal access and custom job configurations; disputed vulnerability with low practical exploitability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.3

Vendor Advisory: https://github.com/quartz-scheduler/quartz/issues/943

Restart Required: Yes

Instructions:

1. Update quartz-scheduler dependency to version 2.3.3 or higher. 2. Rebuild and redeploy applications using quartz-scheduler. 3. Restart affected services.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation in custom job implementations to prevent untrusted data from reaching SendQueueMessageJob.

Access Control

all

Restrict access to job scheduling interfaces to trusted users only.

🧯 If You Can't Patch

  • Implement network segmentation to isolate quartz-scheduler instances from untrusted networks.
  • Monitor for unusual job execution patterns and implement application-level firewalls.

🔍 How to Verify

Check if Vulnerable:

Check the quartz-scheduler version in your project dependencies or classpath; versions 2.3.2 or below are vulnerable.

Check Version:

Check Maven/Gradle dependencies or examine quartz-core-*.jar manifest file.

Verify Fix Applied:

Verify that quartz-scheduler version is 2.3.3 or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual job execution patterns in quartz-scheduler logs
  • Errors from SendQueueMessageJob with unexpected input

Network Indicators:

  • Unusual network connections originating from quartz-scheduler process

SIEM Query:

Search for quartz-scheduler logs containing 'SendQueueMessageJob' with suspicious parameters.

📊 Metadata

CVE ID: CVE-2023-39017
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: July 28, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39017, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)