7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26238

GHSA ID

GHSA-pfj3-56hm-jwq5

EPSS Score

0.91637%

CWE

CWE-74

Published

11/24/2020

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-26238

CVE-2020-26238: Template injection in cron-utils

Impact

A Template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected.

Patches

The issue was patched and a new version released. Please upgrade to version 9.1.3.

Workarounds

There are no known workarounds up to this moment.

References

A description of the issue is provided in issue 461

For more information

If you have any questions or comments about this advisory:

Open an issue in cron-utils Github repository

(GitHub Advisory)

7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26238

GHSA ID

GHSA-pfj3-56hm-jwq5

EPSS Score

0.91637%

CWE

CWE-74

Published

11/24/2020

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.cronutils:cron-utils	maven	< 9.1.3	9.1.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using Hibernate Validator (v5.3.6.Final) for @Cron annotation validation, which processes Java EL expressions. The commit 4cf373f replaced Hibernate with BVal specifically to avoid EL evaluation. The vulnerable function would be the validator() implementation handling cron expression validation before this change, as it didn't sanitize EL expressions in user-provided cron patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * T*mpl*t* Inj**tion w*s i**nti*i** in *ron-utils *n**lin* *tt**k*rs to inj**t *r*itr*ry J*v* *L *xpr*ssions, l***in* to un*ut**nti**t** R*mot* *o** *x**ution (R**) vuln*r**ility. V*rsions up to *.*.* *r* sus**pti*l* to t*is vuln*r**ility.

Reasoning

T** vuln*r**ility st*ms *rom usin* `*i**rn*t* V*li**tor` (v*.*.*.*in*l) *or @*ron *nnot*tion v*li**tion, w*i** pro**ss*s J*v* *L *xpr*ssions. T** *ommit ******* r*pl**** `*i**rn*t*` wit* `*V*l` sp**i*i**lly to *voi* *L *v*lu*tion. T** vuln*r**l* `*un

7.8

Basic Information

Concerned about an active attack path?

CVE-2020-26238: Template injection in cron-utils

Impact

Patches

Workarounds

References

For more information

7.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI