### [CVE-2020-26238](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26238)
![](https://img.shields.io/static/v1?label=Product&message=cron-utils&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-74%20Improper%20Neutralization%20of%20Special%20Elements%20in%20Output%20Used%20by%20a%20Downstream%20Component%20('Injection')&color=brighgreen)

### Description

Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.

### POC

#### Reference
- https://github.com/jmrozanec/cron-utils/issues/461
- https://github.com/jmrozanec/cron-utils/issues/461

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/EdgeSecurityTeam/Vulnerability
- https://github.com/SexyBeast233/SecBooks
- https://github.com/tzwlhack/Vulnerability