jonesde
commented
3 years ago Updated in commit e8e921f9
Closed mend-bolt-for-github[bot] closed 3 years ago
jonesde
commented
3 years ago Updated in commit e8e921f9
CVE-2020-26238 - High Severity Vulnerability
A Java library to parse, migrate and validate crons as well as describe them in human readable language
Library home page: http://cron-parser.com/
Path to dependency file: moqui-framework/framework/build.gradle
Path to vulnerable library: canner/.gradle/caches/modules-2/files-2.1/com.cronutils/cron-utils/9.1.1/d4f4df310183ccc7efdd3e18f6d0a62abe1184b6/cron-utils-9.1.1.jar
Dependency Hierarchy: - :x: **cron-utils-9.1.1.jar** (Vulnerable Library)
Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.
Publish Date: 2020-11-25
URL: CVE-2020-26238
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/jmrozanec/cron-utils/security/advisories/GHSA-pfj3-56hm-jwq5
Release Date: 2020-11-25
Fix Resolution: com.cronutils:cron-utils:9.1.3
Step up your Open Source Security Game with WhiteSource here