CVE-2021-41269
published 2021-11-15CVE-2021-41269: cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.05%
89.4th percentile
cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected. The issue was patched and a new version was released. Please upgrade to version 9.1.6. There are no known workarounds known.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cron-utils_project | cron-utils | < 9.1.6 | 9.1.6 |
| jmrozanec | cron-utils | < 9.1.6 | 9.1.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via Java EL (Expression Language) injection through the @Cron annotation when validating untrusted Cron expressions — monitor for EL expression syntax (e.g., ${...} or #{...}) in Cron input fields processed by cron-utils ↗
- →Only applications using the @Cron annotation to validate untrusted Cron expressions are exploitable — focus detection on services that accept external Cron expression input and use cron-utils versions up to 9.1.2 ↗
- ·Red Hat Integration Camel K 1 is NOT affected despite shipping cron-utils; Red Hat build of Quarkus and Red Hat Integration Camel Quarkus 1 ARE affected — scope detection accordingly ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
cron-utils: template Injection leading to unauthenticated Remote Code Execution
vendor_redhat·2021-11-17·CVSS 10.0
CVE-2021-41269 [CRITICAL] CWE-94 cron-utils: template Injection leading to unauthenticated Remote Code Execution
cron-utils: template Injection leading to unauthenticated Remote Code Execution
cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected. The issue was patched and a new version was released. Please upgrade to version 9.1.6. There are no known workarounds known.
A flaw was found in cron-utils. This flaw allows an attacker to perform unauthenticated Remote C
GHSA
Critical vulnerability found in cron-utils
ghsa·2021-11-15
CVE-2021-41269 [CRITICAL] CWE-94 Critical vulnerability found in cron-utils
Critical vulnerability found in cron-utils
### Impact
A Template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected.
### Patches
The issue was patched and a new version was released. Please upgrade to version 9.1.6.
### Workarounds
There are no known workarounds up to this moment.
### References
A description of the issue is provided in [issue 461](https://github.com/jmrozanec/cron-utils/issues/461)
### For more information
If you have any questions or comments about this advisory:
Open an issue in t
OSV
Critical vulnerability found in cron-utils
osv·2021-11-15
CVE-2021-41269 [CRITICAL] Critical vulnerability found in cron-utils
Critical vulnerability found in cron-utils
### Impact
A Template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected.
### Patches
The issue was patched and a new version was released. Please upgrade to version 9.1.6.
### Workarounds
There are no known workarounds up to this moment.
### References
A description of the issue is provided in [issue 461](https://github.com/jmrozanec/cron-utils/issues/461)
### For more information
If you have any questions or comments about this advisory:
Open an issue in t
No detection rules found.
No public exploits indexed.
https://github.com/jmrozanec/cron-utils/commit/cfd2880f80e62ea74b92fa83474c2aabdb9899dahttps://github.com/jmrozanec/cron-utils/commit/d6707503ec2f20947f79e38f861dba93b39df9dahttps://github.com/jmrozanec/cron-utils/issues/461https://github.com/jmrozanec/cron-utils/security/advisories/GHSA-p9m8-27x8-rg87https://github.com/jmrozanec/cron-utils/commit/cfd2880f80e62ea74b92fa83474c2aabdb9899dahttps://github.com/jmrozanec/cron-utils/commit/d6707503ec2f20947f79e38f861dba93b39df9dahttps://github.com/jmrozanec/cron-utils/issues/461https://github.com/jmrozanec/cron-utils/security/advisories/GHSA-p9m8-27x8-rg87
2021-11-15
Published