CVE-2023-39017

NameCVE-2023-39017
Descriptionquartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple parties because it is not plausible that untrusted user input would reach the code location where injection must occur.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libquartz-java (PTS)jessie1:1.7.3-5vulnerable
stretch1:1.8.6-3vulnerable
libquartz2-java (PTS)stretch2.2.3-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libquartz-javasourcejessie(unfixed)end-of-life
libquartz-javasourcestretch(unfixed)end-of-life
libquartz2-javasourcestretch(unfixed)end-of-life

Notes

Disputed Quartz issue
https://github.com/quartz-scheduler/quartz/issues/943
Search for package or bug name: Reporting problems