Published: 15/11/2021 Updated: 19/11/2021

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template Injection was identified in cron-utils enabling malicious users to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected. The issue was patched and a new version was released. Please upgrade to version 9.1.6. There are no known workarounds known.

Vulnerable Product	Search on Vulmon	Subscribe to Product
cron-utils project cron-utils

Synopsis Moderate: Red Hat build of Quarkus 225 release and security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat build of QuarkusRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which gives a det ...

Synopsis Moderate: Red Hat Integration Camel Extensions for Quarkus 221 security update Type/Severity Security Advisory: Moderate Topic A security update to Red Hat Integration Camel Extensions for Quarkus 22 is now available The purpose of this text-only errata is to inform you about the security issues fixedRed Hat Product Security has ...

Synopsis Important: Service Registry (container images) release and security update [230GA] Type/Severity Security Advisory: Important Topic An update to the images for Red Hat Integration Service Registry is now available from the Red Hat Container Catalog The purpose of this text-only errata is to inform you about the security issues fi ...

cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them In affected versions A template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability Versions up to 912 are ...

CVE-Errata-Tool This set of tools help Red Hat TAMs gather information about CVEs, Erratas, etc It calls accessredhatcom/hydra/rest/securitydata API and prints results in the terminal unresolved_cvespy Provides information about CVEs fulfilling search criteria Those include CVE number, release date, severity, URL, description, mitigation strategy, affected produc

CWE-94 https://github.com/jmrozanec/cron-utils/issues/461 https://github.com/jmrozanec/cron-utils/commit/d6707503ec2f20947f79e38f861dba93b39df9da https://github.com/jmrozanec/cron-utils/security/advisories/GHSA-p9m8-27x8-rg87 https://github.com/jmrozanec/cron-utils/commit/cfd2880f80e62ea74b92fa83474c2aabdb9899da https://nvd.nist.gov https://access.redhat.com/errata/RHSA-2022:0589

CVE-2021-41269

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect