cve/2020/CVE-2020-26238.md

### [CVE-2020-26238](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26238)
![](https://img.shields.io/static/v1?label=Product&message=cron-utils&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-74%20Improper%20Neutralization%20of%20Special%20Elements%20in%20Output%20Used%20by%20a%20Downstream%20Component%20('Injection')&color=brighgreen)

### Description

Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.

### POC

#### Reference
- https://github.com/jmrozanec/cron-utils/issues/461
- https://github.com/jmrozanec/cron-utils/issues/461

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/EdgeSecurityTeam/Vulnerability
- https://github.com/SexyBeast233/SecBooks
- https://github.com/tzwlhack/Vulnerability
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2020-26238](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26238)`
			`![](https://img.shields.io/static/v1?label=Product&message=cron-utils&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-74%20Improper%20Neutralization%20of%20Special%20Elements%20in%20Output%20Used%20by%20a%20Downstream%20Component%20('Injection')&color=brighgreen)`

			`### Description`

			`Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.`

			`### POC`

			`#### Reference`
			`- https://github.com/jmrozanec/cron-utils/issues/461`
Update CVE sources 2024-06-09 00:33 2024-06-09 00:33:16 +00:00			`- https://github.com/jmrozanec/cron-utils/issues/461`
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00
			`#### Github`
			`- https://github.com/ARPSyndicate/cvemon`
			`- https://github.com/EdgeSecurityTeam/Vulnerability`
			`- https://github.com/SexyBeast233/SecBooks`
			`- https://github.com/tzwlhack/Vulnerability`