VDB

CVE-2020-26238

CVE-2020-26238 PUBLISHED CVSS 7.9 HIGH

Reported by GitHub_M · Published November 24, 2020

Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.

Risk Scores

CVSS 3.1
7.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Affected Products

VendorProductVersions
jmrozaneccron-utils< 9.1.3
jmrozaneccron-utils< 9.1.3, *
Mavencom.cronutils:cron-utils0, 0

Timeline

  • Nov 24, 2020 CVE Published
  • Apr 14, 2021 EPSS Score
  • Aug 24, 2021 EPSS Score
  • Oct 26, 2021 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Feb 28, 2022 EPSS Score
  • Jul 3, 2022 EPSS Score
  • Nov 6, 2022 EPSS Score
  • Jan 8, 2023 EPSS Score
  • Mar 11, 2023 EPSS Score
  • Jul 14, 2023 EPSS Score
  • Sep 15, 2023 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›