CVE-2023-37754
Published: 28 July 2023
Summary
CVE-2023-37754 is a critical-severity an unspecified weakness vulnerability in Powerjob Powerjob. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
PowerJob version 4.3.3 contains a remote command execution vulnerability that can be triggered through the instanceId parameter on the /instance/detail endpoint. The flaw received a CVSS score of 9.8 and is tracked under CVE-2023-37754, affecting the open-source distributed job scheduling system without requiring authentication or user interaction.
An unauthenticated attacker with network access can supply a crafted instanceId value to execute arbitrary commands on the server, resulting in full compromise of confidentiality, integrity, and availability. The attack requires no privileges and can be performed remotely over the network.
Public references consist of the project GitHub repository and issue 675 along with a technical write-up published shortly after disclosure; none of the listed sources detail official patches or mitigation steps. The associated EPSS score reached a peak of 0.6625 and currently stands at 0.6087, indicating sustained but not sharply escalating exploitation interest after the July 2023 publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1926
Vulnerability details
PowerJob v4.3.3 was discovered to contain a remote command execution (RCE) vulnerability via the instanceId parameter at /instance/detail.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.