CVE-2023-29922: PowerJob vulnerable to Incorrect Access Control via the create user/save interface.
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99437%
CWE
Published
4/19/2023
Updated
11/4/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| tech.powerjob:powerjob | maven | <= 4.3.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability manifests in the user creation endpoint as demonstrated by the PoC HTTP request to /user/save. The absence of access control checks in the corresponding controller method allows unauthorized user creation. While exact code isn't available, the endpoint mapping convention in Java web applications and the vulnerability description strongly indicate the UserController's save method as the vulnerable component responsible for handling user creation requests without proper authorization.