ghsa-pfj3-56hm-jwq5
Vulnerability from github
Published
2020-11-24 23:48
Modified
2021-01-07 22:39
Severity ?
Summary
Template injection in cron-utils
Details
Impact
A Template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected.
Patches
The issue was patched and a new version released. Please upgrade to version 9.1.3.
Workarounds
There are no known workarounds up to this moment.
References
A description of the issue is provided in issue 461
For more information
If you have any questions or comments about this advisory: * Open an issue in cron-utils Github repository
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "com.cronutils:cron-utils" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "9.1.3" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2020-26238" ], "database_specific": { "cwe_ids": [ "CWE-74" ], "github_reviewed": true, "github_reviewed_at": "2020-11-24T23:48:26Z", "nvd_published_at": "2020-11-25T00:15:00Z", "severity": "CRITICAL" }, "details": "### Impact\nA Template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected.\n\n### Patches\nThe issue was patched and a new version released. Please upgrade to version 9.1.3.\n\n### Workarounds\nThere are no known workarounds up to this moment.\n\n### References\nA description of the issue is provided in [issue 461](https://github.com/jmrozanec/cron-utils/issues/461)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [cron-utils Github repository](https://github.com/jmrozanec/cron-utils)", "id": "GHSA-pfj3-56hm-jwq5", "modified": "2021-01-07T22:39:49Z", "published": "2020-11-24T23:48:38Z", "references": [ { "type": "WEB", "url": "https://github.com/jmrozanec/cron-utils/security/advisories/GHSA-pfj3-56hm-jwq5" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26238" }, { "type": "WEB", "url": "https://github.com/jmrozanec/cron-utils/issues/461" }, { "type": "WEB", "url": "https://github.com/jmrozanec/cron-utils/commit/4cf373f7352f5d95f0bf6512af8af326b31c835e" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r390bb7630b7ea8f02bf7adbbe69c0ae8b562c527d663c543d965f959@%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r432a69a1a85cbcb1f1bad2aa0fbfce0367bf894bf917f6ed7118e7f0@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r50e1b5544c37e408ed7e9a958b28237b1cb9660ba2b3dba46f343e23@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5f601d15292e3302ad0ae0e89527029546945b1cd5837af7e838d354@%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r71083c759dc627f198571b3d48b6745fe798b1d53c34f7ef8de9e7dd@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r737406bc17d49ffe8fe6a8828d390ee0a02e45e5a5b4f931180b9a93@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r855aead591697dc2e85faf66c99036e49f492431940b78d4e6d895b5@%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r96937fc9c82f3201b59311c067e97bce71123944f93102169a95bf5c@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9ae9a9fb1c8e2bf95c676e7e4cd06aa04f0a3a8a9ec1a6b787afb00f@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra9e81244d323898dde3c979dd7df6996e4037d14a01b6629ea443548@%3Cissues.hive.apache.org%3E" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "type": "CVSS_V3" } ], "summary": "Template injection in cron-utils" }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.