cbcvebase.
CVE-2021-41269
published 2021-11-15

CVE-2021-41269: cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.05%
89.4th percentile
cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected. The issue was patched and a new version was released. Please upgrade to version 9.1.6. There are no known workarounds known.

Affected

2 ranges
VendorProductVersion rangeFixed in
cron-utils_projectcron-utils< 9.1.69.1.6
jmrozaneccron-utils< 9.1.69.1.6

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered via Java EL (Expression Language) injection through the @Cron annotation when validating untrusted Cron expressions — monitor for EL expression syntax (e.g., ${...} or #{...}) in Cron input fields processed by cron-utils
  • Only applications using the @Cron annotation to validate untrusted Cron expressions are exploitable — focus detection on services that accept external Cron expression input and use cron-utils versions up to 9.1.2
  • ·Red Hat Integration Camel K 1 is NOT affected despite shipping cron-utils; Red Hat build of Quarkus and Red Hat Integration Camel Quarkus 1 ARE affected — scope detection accordingly

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.