PT-2020-16366 · Unknown · Cron-Utils

Published

2020-11-24

Updated

2021-03-24

CVE-2020-26238

CVSS v3.1

7.9

High

Vector

AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions cron-utils versions prior to 9.1.3

Description A template injection vulnerability is present in cron-utils, enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. This issue affects only projects using the @Cron annotation to validate untrusted Cron expressions.

Recommendations For versions prior to 9.1.3, upgrade to version 9.1.3 to resolve the issue. As a temporary workaround, consider avoiding the use of the @Cron annotation to validate untrusted Cron expressions until the patch is applied.

Exploit

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

CVE-2020-26238

GHSA-PFJ3-56HM-JWQ5

Affected Products

Cron-Utils

PT-2020-16366 · Unknown · Cron-Utils

CVE-2020-26238

Weakness Enumeration

Related Identifiers

Affected Products

References · 29