Miggo Logo
Miggo Vulnerability Database
CVE-2023-29922

CVE-2023-29922: PowerJob vulnerable to Incorrect Access Control via the create user/save interface.

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-29922
GHSA ID
GHSA-c23v-vqw5-52c5
EPSS Score
0.99437%
CWE
CWE-284
Published
4/19/2023
Updated
11/4/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
tech.powerjob:powerjobmaven<= 4.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in the user creation endpoint as demonstrated by the PoC HTTP request to /user/save. The absence of access control checks in the corresponding controller method allows unauthorized user creation. While exact code isn't available, the endpoint mapping convention in Java web applications and the vulnerability description strongly indicate the UserController's save method as the vulnerable component responsible for handling user creation requests without proper authorization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pow*rJo* V*.*.* is vuln*r**l* to In*orr**t ****ss *ontrol vi* t** *r**t* us*r/s*v* int*r****.

Reasoning

T** vuln*r**ility m*ni**sts in t** us*r *r**tion *n*point *s **monstr*t** *y t** Po* *TTP r*qu*st to /us*r/s*v*. T** **s*n** o* ****ss *ontrol ****ks in t** *orr*spon*in* *ontroll*r m*t*o* *llows un*ut*oriz** us*r *r**tion. W*il* *x**t *o** isn't *v*