VDB
CVE-2020-26238
CVE-2020-26238
PUBLISHED
CVSS 7.9 HIGH
Reported by GitHub_M · Published November 24, 2020
Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.
Risk Scores
CVSS 3.1
7.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| jmrozanec | cron-utils | < 9.1.3 |
| jmrozanec | cron-utils | < 9.1.3, * |
| Maven | com.cronutils:cron-utils | 0, 0 |
Timeline
- Nov 24, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 11, 2023 EPSS Score
- Jul 14, 2023 EPSS Score
- Sep 15, 2023 EPSS Score
References
- x_refsource_CONFIRM
- x_refsource_MISC
- x_refsource_MISC
- [hive-issues] 20210316 [jira] [Assigned] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238 mailing-listx_refsource_MLIST
- [hive-dev] 20210316 [jira] [Created] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238 mailing-listx_refsource_MLIST
- [hive-issues] 20210316 [jira] [Work started] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238 mailing-listx_refsource_MLIST
- [hive-gitbox] 20210316 [GitHub] [hive] achennagiri opened a new pull request #2081: HIVE-24890: Upgrade the cron-utils library from 8.1.1 to 9.1.3 due to CVE-2020-26238 mailing-listx_refsource_MLIST
- [hive-issues] 20210316 [jira] [Work logged] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238 mailing-listx_refsource_MLIST
- [hive-issues] 20210316 [jira] [Updated] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238 mailing-listx_refsource_MLIST
- [hive-issues] 20210317 [jira] [Commented] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238 mailing-listx_refsource_MLIST
- [hive-issues] 20210317 [jira] [Resolved] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238 mailing-listx_refsource_MLIST
- [hive-issues] 20210317 [jira] [Work logged] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238 mailing-listx_refsource_MLIST
- [hive-gitbox] 20210317 [GitHub] [hive] yongzhi merged pull request #2081: HIVE-24890: Upgrade the cron-utils library from 8.1.1 to 9.1.3 due to CVE-2020-26238 mailing-listx_refsource_MLIST
- https://nvd.nist.gov/vuln/detail/CVE-2020-26238 advisory