Skip to content

Template injection in cron-utils

Critical severity GitHub Reviewed Published Nov 24, 2020 in jmrozanec/cron-utils • Updated Feb 1, 2023

Package

maven com.cronutils:cron-utils (Maven)

Affected versions

< 9.1.3

Patched versions

9.1.3

Description

Impact

A Template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected.

Patches

The issue was patched and a new version released. Please upgrade to version 9.1.3.

Workarounds

There are no known workarounds up to this moment.

References

A description of the issue is provided in issue 461

For more information

If you have any questions or comments about this advisory:

References

@jmrozanec jmrozanec published to jmrozanec/cron-utils Nov 24, 2020
Reviewed Nov 24, 2020
Published to the GitHub Advisory Database Nov 24, 2020
Published by the National Vulnerability Database Nov 25, 2020
Last updated Feb 1, 2023

Severity

Critical

EPSS score

16.770%
(96th percentile)

Weaknesses

CVE ID

CVE-2020-26238

GHSA ID

GHSA-pfj3-56hm-jwq5

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.