# Vulnerability Summary: XXL-JOB SSRF Vulnerability (PR #3937) ## Vulnerability Overview The `manual trigger` interface (`/jobinfo/trigger`) of XXL-JOB is vulnerable to Server-Side Request Forgery (SSRF). This interface accepts a user-controllable `addressList` parameter and passes it to the executor (`JobTriggerPoolHelper.trigger`) without any validation. Attackers can exploit this vulnerability to send HTTP requests to arbitrary URLs. ## Impact Scope * **Trigger Condition**: Requires an authenticated user with job permissions. * **Potential Impact**: * Sending server-side HTTP requests to arbitrary URLs (SSRF). * Leaking the `XXL-JOB-ACCESS-TOKEN` header information to attacker-controlled servers. * Leaking job metadata via the `TriggerRequest` body. * Accessing internal/Docker-internal services within the management server's network location. ## Remediation Validation logic was added to the `XxlJobServiceImpl.trigger()` method. * **Logic**: A whitelist mechanism is employed to ensure that every address in the user-provided `addressList` must be an address registered or configured for that job group. * **Result**: Requests are rejected if the address is not in the allowed list. ## POC/Exploit Code No specific exploit code is included in the page, but a snippet of the patched code is provided: ```java if (StringTool.isNotBlank(addressList)) { group.setAddressType(1); group.setAddressList(addressList.trim()); // No validation! } ``` *(Note: This is the code before the fix; validation for address legitimacy was added after the fix.)*