QwikSec

Security Database

CVE

CWE

Training

CVE-2020-26238

Published: Nov 24, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

7.9

HIGH

Description

Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.

Vendor	Product	Versions
jmrozanec	cron-utils	affected `< 9.1.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/jmrozanec/cron-utils/security/advisories/GHSA-pfj3-56hm-jwq5

x_refsource_CONFIRM

https://github.com/jmrozanec/cron-utils/issues/461

x_refsource_MISC

https://github.com/jmrozanec/cron-utils/commit/4cf373f7352f5d95f0bf6512af8af326b31c835e

x_refsource_MISC

[hive-issues] 20210316 [jira] [Assigned] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238

mailing-list

x_refsource_MLIST

[hive-dev] 20210316 [jira] [Created] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238

mailing-list

x_refsource_MLIST

[hive-issues] 20210316 [jira] [Work started] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238

mailing-list

x_refsource_MLIST

[hive-gitbox] 20210316 [GitHub] [hive] achennagiri opened a new pull request #2081: HIVE-24890: Upgrade the cron-utils library from 8.1.1 to 9.1.3 due to CVE-2020-26238

mailing-list

x_refsource_MLIST

[hive-issues] 20210316 [jira] [Work logged] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238

mailing-list

x_refsource_MLIST

[hive-issues] 20210316 [jira] [Updated] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238

mailing-list

x_refsource_MLIST

[hive-issues] 20210317 [jira] [Commented] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238

mailing-list

x_refsource_MLIST

[hive-issues] 20210317 [jira] [Resolved] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238

mailing-list

x_refsource_MLIST

[hive-issues] 20210317 [jira] [Work logged] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238

mailing-list

x_refsource_MLIST

[hive-gitbox] 20210317 [GitHub] [hive] yongzhi merged pull request #2081: HIVE-24890: Upgrade the cron-utils library from 8.1.1 to 9.1.3 due to CVE-2020-26238

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.