Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.
References
Configurations
History
07 Nov 2023, 03:20
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2020-11-25 00:15
Updated : 2024-02-28 18:08
NVD link : CVE-2020-26238
Mitre link : CVE-2020-26238
CVE.ORG link : CVE-2020-26238
JSON object : View
Products Affected
cron-utils_project
- cron-utils
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')