You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.
Vulnerable Library - cron-utils-9.0.2.jar
A Java library to parse, migrate and validate crons as well as describe them in human readable language
Library home page: http://cron-parser.com/
Path to dependency file: /server/impl/pom.xml
Path to vulnerable library: /server/impl/pom.xml,/server/dist/pom.xml
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-26238
Vulnerable Library - cron-utils-9.0.2.jar
A Java library to parse, migrate and validate crons as well as describe them in human readable language
Library home page: http://cron-parser.com/
Path to dependency file: /server/impl/pom.xml
Path to vulnerable library: /server/impl/pom.xml,/server/dist/pom.xml
Dependency Hierarchy:
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Vulnerability Details
Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.
Publish Date: 2020-11-25
URL: CVE-2020-26238
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-pfj3-56hm-jwq5
Release Date: 2020-11-25
Fix Resolution: 9.1.3
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
The text was updated successfully, but these errors were encountered: