CVE-2024-3366 - Vulnerability Details - OpenCVE

A vulnerability classified as problematic was found in Xuxueli xxl-job up to 2.4.1. This vulnerability affects the function deserialize of the file com/xxl/job/core/util/JdkSerializeTool.java of the component Template Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259480.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/xuxueli/xxl-job/issues/3391
https://vuldb.com/?ctiid.259480
https://vuldb.com/?id.259480
https://vuldb.com/?submit.308180

History

No history.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2024-04-06T10:31:04.894Z

Updated: 2024-08-21T22:32:17.765Z

Reserved: 2024-04-05T08:14:51.773Z

Link: CVE-2024-3366

Vulnrichment

Updated: 2024-08-01T20:05:08.512Z

NVD

Status : Awaiting Analysis

Published: 2024-04-06T11:15:08.740

Modified: 2024-11-21T09:29:28.237

Link: CVE-2024-3366

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3366", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2024-04-05T08:14:51.773Z", "datePublished": "2024-04-06T10:31:04.894Z", "dateUpdated": "2024-08-21T22:32:17.765Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-04-06T10:31:04.894Z"}, "title": "Xuxueli xxl-job Template JdkSerializeTool.java deserialize injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "CWE-74 Injection"}]}], "affected": [{"vendor": "Xuxueli", "product": "xxl-job", "versions": [{"version": "2.4.0", "status": "affected"}, {"version": "2.4.1", "status": "affected"}], "modules": ["Template Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic was found in Xuxueli xxl-job up to 2.4.1. This vulnerability affects the function deserialize of the file com/xxl/job/core/util/JdkSerializeTool.java of the component Template Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259480."}, {"lang": "de", "value": "In Xuxueli xxl-job bis 2.4.1 wurde eine Schwachstelle entdeckt. Sie wurde als problematisch eingestuft. Es geht um die Funktion deserialize der Datei com/xxl/job/core/util/JdkSerializeTool.java der Komponente Template Handler. Dank Manipulation mit unbekannten Daten kann eine injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.7, "vectorString": "AV:A/AC:L/Au:S/C:N/I:P/A:N"}}], "timeline": [{"time": "2024-04-05T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2024-04-05T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2024-04-05T10:20:01.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "qqwp220 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.259480", "name": "VDB-259480 | Xuxueli xxl-job Template JdkSerializeTool.java deserialize injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.259480", "name": "VDB-259480 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.308180", "name": "Submit #308180 | xuxueli xxl-job <= 2.4.1 Template injection vulnerability", "tags": ["third-party-advisory"]}, {"url": "https://github.com/xuxueli/xxl-job/issues/3391", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:05:08.512Z"}, "title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.259480", "name": "VDB-259480 | Xuxueli xxl-job Template JdkSerializeTool.java deserialize injection", "tags": ["vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.259480", "name": "VDB-259480 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://vuldb.com/?submit.308180", "name": "Submit #308180 | xuxueli xxl-job <= 2.4.1 Template injection vulnerability", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://github.com/xuxueli/xxl-job/issues/3391", "tags": ["exploit", "issue-tracking", "x_transferred"]}]}, {"affected": [{"vendor": "xuxueli", "product": "xxl-job", "cpes": ["cpe:2.3:a:xuxueli:xxl-job:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.4.0", "status": "affected"}, {"version": "2.4.1", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-09T19:10:56.193920Z", "id": "CVE-2024-3366", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-21T22:32:17.765Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.259480", "name": "VDB-259480 | Xuxueli xxl-job Template JdkSerializeTool.java deserialize injection", "tags": ["vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.259480", "name": "VDB-259480 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://vuldb.com/?submit.308180", "name": "Submit #308180 | xuxueli xxl-job <= 2.4.1 Template injection vulnerability", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://github.com/xuxueli/xxl-job/issues/3391", "tags": ["exploit", "issue-tracking", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:05:08.512Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3366", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-09T19:10:56.193920Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:xuxueli:xxl-job:*:*:*:*:*:*:*:*"], "vendor": "xuxueli", "product": "xxl-job", "versions": [{"status": "affected", "version": "2.4.0"}, {"status": "affected", "version": "2.4.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-21T22:32:13.118Z"}}], "cna": {"title": "Xuxueli xxl-job Template JdkSerializeTool.java deserialize injection", "credits": [{"lang": "en", "type": "reporter", "value": "qqwp220 (VulDB User)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.7, "vectorString": "AV:A/AC:L/Au:S/C:N/I:P/A:N"}}], "affected": [{"vendor": "Xuxueli", "modules": ["Template Handler"], "product": "xxl-job", "versions": [{"status": "affected", "version": "2.4.0"}, {"status": "affected", "version": "2.4.1"}]}], "timeline": [{"lang": "en", "time": "2024-04-05T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2024-04-05T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2024-04-05T10:20:01.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.259480", "name": "VDB-259480 | Xuxueli xxl-job Template JdkSerializeTool.java deserialize injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.259480", "name": "VDB-259480 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.308180", "name": "Submit #308180 | xuxueli xxl-job <= 2.4.1 Template injection vulnerability", "tags": ["third-party-advisory"]}, {"url": "https://github.com/xuxueli/xxl-job/issues/3391", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic was found in Xuxueli xxl-job up to 2.4.1. This vulnerability affects the function deserialize of the file com/xxl/job/core/util/JdkSerializeTool.java of the component Template Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259480."}, {"lang": "de", "value": "In Xuxueli xxl-job bis 2.4.1 wurde eine Schwachstelle entdeckt. Sie wurde als problematisch eingestuft. Es geht um die Funktion deserialize der Datei com/xxl/job/core/util/JdkSerializeTool.java der Komponente Template Handler. Dank Manipulation mit unbekannten Daten kann eine injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74 Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-04-06T10:31:04.894Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3366", "state": "PUBLISHED", "dateUpdated": "2024-08-21T22:32:17.765Z", "dateReserved": "2024-04-05T08:14:51.773Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2024-04-06T10:31:04.894Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic was found in Xuxueli xxl-job up to 2.4.1. This vulnerability affects the function deserialize of the file com/xxl/job/core/util/JdkSerializeTool.java of the component Template Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259480."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en Xuxueli xxl-job hasta 2.4.1 y clasificada como problem\u00e1tica. Esta vulnerabilidad afecta la funci\u00f3n deserialize del archivo com/xxl/job/core/util/JdkSerializeTool.java del componente Template Handler. La manipulaci\u00f3n conduce a la inyecci\u00f3n. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-259480."}], "id": "CVE-2024-3366", "lastModified": "2024-11-21T09:29:28.237", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.7, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 5.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2024-04-06T11:15:08.740", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/xuxueli/xxl-job/issues/3391"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.259480"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.259480"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.308180"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/xuxueli/xxl-job/issues/3391"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://vuldb.com/?ctiid.259480"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://vuldb.com/?id.259480"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://vuldb.com/?submit.308180"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "cna@vuldb.com", "type": "Secondary"}]}