Security vulnerability in com.xuxueli:xxl-job package (CVE-2023-26120)

vzgqcmou  于 4个月前  发布在  其他
关注(0)|答案(3)|浏览(70)

Please answer some questions before submitting your issue. Thanks!

Which version of XXL-JOB do you using?

2.3.1

Other information

I am writing to report a security vulnerability that has been discovered in the com.xuxueli:xxl-job package, which affects all versions of the package. The vulnerability, identified as CVE-2023-26120 , allows for the successful execution of HTML uploaded payload through the /xxl-job-admin/user/add and /xxl-job-admin/user/update endpoints.

As of now, there are no available patches to address this vulnerability. I suggest that the team takes immediate action to mitigate the risk of potential attacks by implementing the following measures:

3okqufwl

3okqufwl2#

具体描述可以参考以下链接
https://security.snyk.io/vuln/SNYK-JAVA-COMXUXUELI-3248764

里面给出了一些预防上述问题的建议

  • 在将 HTTP 请求的输入数据反映回用户之前,对其进行清洗。验证、过滤或转义所有数据以防止注入攻击,例如在搜索期间利用查询参数的攻击。
  • 将特殊字符(如<、>、&、"和')转换为它们各自的 HTML 或 URL 编码等效形式,以防止注入攻击。
  • 提供用户禁用客户端脚本的选项,以防止跨站脚本(XSS)攻击。
  • 重定向无效请求,以避免泄露敏感信息。
  • 检测来自两个不同 IP 地址的同时登录,并注销这些会话,以防止会话劫持攻击。
  • 使用和执行内容安全策略来禁用可能被操纵用于 XSS 攻击的任何功能。
  • 查阅您的代码中使用的任何库的文档,了解哪些元素允许嵌入 HTML,并采取适当措施以防注入攻击。
jbose2ul

jbose2ul3#

谢谢  愿属调皮 @***.  …

------------------ 原始邮件 ------------------ 发件人: ***@***.***>; 发送时间: 2023年5月10日(星期三) 中午11:04 收件人: ***@***.***>; 抄送: ***@***.***>; ***@***.***>; 主题: Re: [xuxueli/xxl-job] Security vulnerability in com.xuxueli:xxl-job package (CVE-2023-26120) (Issue #3176) 具体描述可以参考以下链接 https://security.snyk.io/vuln/SNYK-JAVA-COMXUXUELI-3248764 里面给出了一些预防上述问题的建议 How to prevent This section describes the top best practices designed to specifically protect your code: Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. Convert special characters such as , , , , and spaces to their respective HTML or URL encoded equivalents. ?&/<> Give users the option to disable client-side scripts. Redirect invalid requests. Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions. Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack. Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

相关问题