RuoYi System Unauthorized Task Status Modification And Run Vulnerability Report #292
Description
RuoYi System Unauthorized Task Status Modification Vulnerability Report
Overview
A horizontal privilege escalation vulnerability exists in the RuoYi framework's task management functionality. The /monitor/job/changeStatus and /monitor/job/run API endpoint allows authenticated users to modify the status of arbitrary scheduled tasks without ownership verification, enabling attackers to disrupt system operations by enabling/disabling critical tasks.
Vulnerability Details
Type: Horizontal Privilege Escalation (IDOR)
CWE-ID: CWE-639: Authorization Bypass Through User-Controlled Key
Affected Component:
com.ruoyi.quartz.controller.SysJobController.changeStatus()
com.ruoyi.quartz.controller.SysJobController.run()
Vulnerability Analysis
The vulnerable controller method processes status modification requests without verifying task ownership:
@PostMapping("/changeStatus")
@ResponseBody
public AjaxResult changeStatus(SysJob job) throws SchedulerException {
SysJob newJob = jobService.selectJobById(job.getJobId()); // Fetches task by user-controlled ID
newJob.setStatus(job.getStatus()); // Modifies status without ownership check
return toAjax(jobService.changeStatus(newJob));
}
/**
* 任务调度立即执行一次
*/
@Log(title = "定时任务", businessType = BusinessType.UPDATE)
@RequiresPermissions("monitor:job:changeStatus")
@PostMapping("/run")
@ResponseBody
public AjaxResult run(SysJob job) throws SchedulerException
{
boolean result = jobService.run(job);
return result ? success() : error("任务不存在或已过期!");
}