Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.
References
Configurations
Information
Published : 2020-11-24 16:15
Updated : 2021-03-23 18:16
NVD link : CVE-2020-26238
Mitre link : CVE-2020-26238
JSON object : View
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Products Affected
cron-utils_project
- cron-utils