9.8 CVE-2022-40929

Exploit RCE Path Traversal

 

XXL-JOB 2.2.0 has a Command execution vulnerability in background tasks.
https://nvd.nist.gov/vuln/detail/CVE-2022-40929

Categories

CWE-77 : Improper Neutralization of Special Elements used in a Command ('Command Injection')
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. If at all possible, use library calls rather than external processes to recreate the desired functionality. If possible, ensure that all external commands called from the program are statically created. Run time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands. Assign permissions to the software system that prevents the user from accessing/opening privileged files. Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning with a dash, potentially allowing for code execution. Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program. Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV. injection of sed script syntax ("sed injection") injection of sed script syntax ("sed injection") injection of sed script syntax ("sed injection") image program allows injection of commands in "Magick Vector Graphics (MVG)" language. anti-spam product allows injection of SNMP commands into confiuration file

References

MISC Exploit

https://github.com/xuxueli/xxl-job/issues/2979
Exploit Issue Tracking Third Party Advisory


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:xuxueli:xxl-job:2.2.0:*:*:*:*:*:*:*

Exploits

id description date
No known exploits

CAPEC

id description severity
15 Command Delimiters
High
43 Exploiting Multiple Input Interpretation Layers
High
76 Manipulating Web Input to File System Calls
Very High
75 Manipulating Writeable Configuration Files
Very High
183 IMAP/SMTP Command Injection
Medium
248 Command Injection
High
40 Manipulating Writeable Terminal Devices
Very High
136 LDAP Injection
High

Sherlock® flash

Take a picture of your computer network in a few clicks !

The Sherlock® flash audit solution allows you to perform an audit to strengthen the security of your IT assets. Vulnerability analysis of your physical and virtual equipment. Patch planning by priority level and time available. Detailed and intuitive reporting.

Discover this offer

Sherlock® flash: 1st instant cybersecurity audit solution