Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
https://github.com/jmrozanec/cron-utils/commit/4cf373f7352f5d95f0bf6512af8af326b31c835e cve-icon cve-icon
https://github.com/jmrozanec/cron-utils/issues/461 cve-icon cve-icon
https://github.com/jmrozanec/cron-utils/security/advisories/GHSA-pfj3-56hm-jwq5 cve-icon cve-icon
https://lists.apache.org/thread.html/r390bb7630b7ea8f02bf7adbbe69c0ae8b562c527d663c543d965f959%40%3Cgitbox.hive.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r432a69a1a85cbcb1f1bad2aa0fbfce0367bf894bf917f6ed7118e7f0%40%3Cissues.hive.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r50e1b5544c37e408ed7e9a958b28237b1cb9660ba2b3dba46f343e23%40%3Cissues.hive.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r5f601d15292e3302ad0ae0e89527029546945b1cd5837af7e838d354%40%3Cdev.hive.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r71083c759dc627f198571b3d48b6745fe798b1d53c34f7ef8de9e7dd%40%3Cissues.hive.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r737406bc17d49ffe8fe6a8828d390ee0a02e45e5a5b4f931180b9a93%40%3Cissues.hive.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r855aead591697dc2e85faf66c99036e49f492431940b78d4e6d895b5%40%3Cgitbox.hive.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r96937fc9c82f3201b59311c067e97bce71123944f93102169a95bf5c%40%3Cissues.hive.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r9ae9a9fb1c8e2bf95c676e7e4cd06aa04f0a3a8a9ec1a6b787afb00f%40%3Cissues.hive.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/ra9e81244d323898dde3c979dd7df6996e4037d14a01b6629ea443548%40%3Cissues.hive.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2020-26238 cve-icon
https://www.cve.org/CVERecord?id=CVE-2020-26238 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2024-08-04T15:56:04.555Z

Reserved: 2020-10-01T00:00:00

Link: CVE-2020-26238

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-11-25T00:15:10.747

Modified: 2024-11-21T05:19:37.353

Link: CVE-2020-26238

cve-icon Redhat

Severity : Important

Publid Date: 2020-11-24T00:00:00Z

Links: CVE-2020-26238 - Bugzilla

cve-icon OpenCVE Enrichment

No data.