

CVE-2023-39017

WSO2 Products impacted: no

Customer actions required: no

---

REPORTED VULNERABILITY

Quartz-jobs versions 2.3.2 and below was discovered to contain a code injection vulnerability in the component org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is exploited via passing an unchecked argument. NOTE: This is disputed by multiple parties because it is not plausible that untrusted user input would reach the code location where injection must occur. ¹.

REPORTED PRODUCTS

• WSO2 API Manager : 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0

WSO2 JUSTIFICATION

Quartz-jobs is used for managing scheduled tasks. In API Manager, it does not use any user inputs and it does the configuration for quartz in the code level itself. Therefore, the reported quartz-jobs vulnerability is not reachable or exploitable in the API-M runtime and does not pose a security risk.

This CVE is also marked as disputed by multiple parties, including the Quartz maintainers, because the reported injection path requires untrusted input to reach an internal code path that is not plausibly attacker-controlled in real-world usage ¹². Since this is a disputed report rather than a confirmed product defect, there is no fixed Quartz version associated with CVE-2023-39017.

REFERENCES

---

1. https://nvd.nist.gov/vuln/detail/cve-2023-39017 ↩↩

2. https://github.com/quartz-scheduler/quartz/issues/943 ↩