Vulnerability

CVE-2022-40929

 Report advisory or correction

CVSS Score 9.8 critical

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78

References

https://github.com/xuxueli/xxl-job/issues/2979
https://github.com/advisories/GHSA-m54f-rp6r-rrrm
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40929

[CVE-2022-40929] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description

XXL-JOB 2.2.0 has a Command execution vulnerability in background tasks. NOTE: this is disputed because the issues/4929 report is about an intended and supported use case (running arbitrary Bash scripts on behalf of users).

See com.xuxueli/xxl-job-core package information