{"containers":{"cna":{"affected":[{"product":"cron-utils","vendor":"jmrozanec","versions":[{"status":"affected","version":"< 9.1.3"}]}],"descriptions":[{"lang":"en","value":"Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":7.9,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-74","description":"CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2021-03-17T19:06:38.000Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/jmrozanec/cron-utils/security/advisories/GHSA-pfj3-56hm-jwq5"},{"tags":["x_refsource_MISC"],"url":"https://github.com/jmrozanec/cron-utils/issues/461"},{"tags":["x_refsource_MISC"],"url":"https://github.com/jmrozanec/cron-utils/commit/4cf373f7352f5d95f0bf6512af8af326b31c835e"},{"name":"[hive-issues] 20210316 [jira] [Assigned] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r96937fc9c82f3201b59311c067e97bce71123944f93102169a95bf5c%40%3Cissues.hive.apache.org%3E"},{"name":"[hive-dev] 20210316 [jira] [Created] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r5f601d15292e3302ad0ae0e89527029546945b1cd5837af7e838d354%40%3Cdev.hive.apache.org%3E"},{"name":"[hive-issues] 20210316 [jira] [Work started] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/ra9e81244d323898dde3c979dd7df6996e4037d14a01b6629ea443548%40%3Cissues.hive.apache.org%3E"},{"name":"[hive-gitbox] 20210316 [GitHub] [hive] achennagiri opened a new pull request #2081: HIVE-24890: Upgrade the cron-utils library from 8.1.1 to 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r855aead591697dc2e85faf66c99036e49f492431940b78d4e6d895b5%40%3Cgitbox.hive.apache.org%3E"},{"name":"[hive-issues] 20210316 [jira] [Work logged] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r9ae9a9fb1c8e2bf95c676e7e4cd06aa04f0a3a8a9ec1a6b787afb00f%40%3Cissues.hive.apache.org%3E"},{"name":"[hive-issues] 20210316 [jira] [Updated] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r71083c759dc627f198571b3d48b6745fe798b1d53c34f7ef8de9e7dd%40%3Cissues.hive.apache.org%3E"},{"name":"[hive-issues] 20210317 [jira] [Commented] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r50e1b5544c37e408ed7e9a958b28237b1cb9660ba2b3dba46f343e23%40%3Cissues.hive.apache.org%3E"},{"name":"[hive-issues] 20210317 [jira] [Resolved] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r432a69a1a85cbcb1f1bad2aa0fbfce0367bf894bf917f6ed7118e7f0%40%3Cissues.hive.apache.org%3E"},{"name":"[hive-issues] 20210317 [jira] [Work logged] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r737406bc17d49ffe8fe6a8828d390ee0a02e45e5a5b4f931180b9a93%40%3Cissues.hive.apache.org%3E"},{"name":"[hive-gitbox] 20210317 [GitHub] [hive] yongzhi merged pull request #2081: HIVE-24890: Upgrade the cron-utils library from 8.1.1 to 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r390bb7630b7ea8f02bf7adbbe69c0ae8b562c527d663c543d965f959%40%3Cgitbox.hive.apache.org%3E"}],"source":{"advisory":"GHSA-pfj3-56hm-jwq5","discovery":"UNKNOWN"},"title":"Critical vulnerability found in cron-utils","x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2020-26238","STATE":"PUBLIC","TITLE":"Critical vulnerability found in cron-utils"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"cron-utils","version":{"version_data":[{"version_value":"< 9.1.3"}]}}]},"vendor_name":"jmrozanec"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":7.9,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}]},"references":{"reference_data":[{"name":"https://github.com/jmrozanec/cron-utils/security/advisories/GHSA-pfj3-56hm-jwq5","refsource":"CONFIRM","url":"https://github.com/jmrozanec/cron-utils/security/advisories/GHSA-pfj3-56hm-jwq5"},{"name":"https://github.com/jmrozanec/cron-utils/issues/461","refsource":"MISC","url":"https://github.com/jmrozanec/cron-utils/issues/461"},{"name":"https://github.com/jmrozanec/cron-utils/commit/4cf373f7352f5d95f0bf6512af8af326b31c835e","refsource":"MISC","url":"https://github.com/jmrozanec/cron-utils/commit/4cf373f7352f5d95f0bf6512af8af326b31c835e"},{"name":"[hive-issues] 20210316 [jira] [Assigned] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r96937fc9c82f3201b59311c067e97bce71123944f93102169a95bf5c@%3Cissues.hive.apache.org%3E"},{"name":"[hive-dev] 20210316 [jira] [Created] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r5f601d15292e3302ad0ae0e89527029546945b1cd5837af7e838d354@%3Cdev.hive.apache.org%3E"},{"name":"[hive-issues] 20210316 [jira] [Work started] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","refsource":"MLIST","url":"https://lists.apache.org/thread.html/ra9e81244d323898dde3c979dd7df6996e4037d14a01b6629ea443548@%3Cissues.hive.apache.org%3E"},{"name":"[hive-gitbox] 20210316 [GitHub] [hive] achennagiri opened a new pull request #2081: HIVE-24890: Upgrade the cron-utils library from 8.1.1 to 9.1.3 due to CVE-2020-26238","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r855aead591697dc2e85faf66c99036e49f492431940b78d4e6d895b5@%3Cgitbox.hive.apache.org%3E"},{"name":"[hive-issues] 20210316 [jira] [Work logged] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r9ae9a9fb1c8e2bf95c676e7e4cd06aa04f0a3a8a9ec1a6b787afb00f@%3Cissues.hive.apache.org%3E"},{"name":"[hive-issues] 20210316 [jira] [Updated] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r71083c759dc627f198571b3d48b6745fe798b1d53c34f7ef8de9e7dd@%3Cissues.hive.apache.org%3E"},{"name":"[hive-issues] 20210317 [jira] [Commented] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r50e1b5544c37e408ed7e9a958b28237b1cb9660ba2b3dba46f343e23@%3Cissues.hive.apache.org%3E"},{"name":"[hive-issues] 20210317 [jira] [Resolved] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r432a69a1a85cbcb1f1bad2aa0fbfce0367bf894bf917f6ed7118e7f0@%3Cissues.hive.apache.org%3E"},{"name":"[hive-issues] 20210317 [jira] [Work logged] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r737406bc17d49ffe8fe6a8828d390ee0a02e45e5a5b4f931180b9a93@%3Cissues.hive.apache.org%3E"},{"name":"[hive-gitbox] 20210317 [GitHub] [hive] yongzhi merged pull request #2081: HIVE-24890: Upgrade the cron-utils library from 8.1.1 to 9.1.3 due to CVE-2020-26238","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r390bb7630b7ea8f02bf7adbbe69c0ae8b562c527d663c543d965f959@%3Cgitbox.hive.apache.org%3E"}]},"source":{"advisory":"GHSA-pfj3-56hm-jwq5","discovery":"UNKNOWN"}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T15:56:04.555Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/jmrozanec/cron-utils/security/advisories/GHSA-pfj3-56hm-jwq5"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/jmrozanec/cron-utils/issues/461"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/jmrozanec/cron-utils/commit/4cf373f7352f5d95f0bf6512af8af326b31c835e"},{"name":"[hive-issues] 20210316 [jira] [Assigned] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r96937fc9c82f3201b59311c067e97bce71123944f93102169a95bf5c%40%3Cissues.hive.apache.org%3E"},{"name":"[hive-dev] 20210316 [jira] [Created] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r5f601d15292e3302ad0ae0e89527029546945b1cd5837af7e838d354%40%3Cdev.hive.apache.org%3E"},{"name":"[hive-issues] 20210316 [jira] [Work started] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/ra9e81244d323898dde3c979dd7df6996e4037d14a01b6629ea443548%40%3Cissues.hive.apache.org%3E"},{"name":"[hive-gitbox] 20210316 [GitHub] [hive] achennagiri opened a new pull request #2081: HIVE-24890: Upgrade the cron-utils library from 8.1.1 to 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r855aead591697dc2e85faf66c99036e49f492431940b78d4e6d895b5%40%3Cgitbox.hive.apache.org%3E"},{"name":"[hive-issues] 20210316 [jira] [Work logged] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r9ae9a9fb1c8e2bf95c676e7e4cd06aa04f0a3a8a9ec1a6b787afb00f%40%3Cissues.hive.apache.org%3E"},{"name":"[hive-issues] 20210316 [jira] [Updated] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r71083c759dc627f198571b3d48b6745fe798b1d53c34f7ef8de9e7dd%40%3Cissues.hive.apache.org%3E"},{"name":"[hive-issues] 20210317 [jira] [Commented] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r50e1b5544c37e408ed7e9a958b28237b1cb9660ba2b3dba46f343e23%40%3Cissues.hive.apache.org%3E"},{"name":"[hive-issues] 20210317 [jira] [Resolved] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r432a69a1a85cbcb1f1bad2aa0fbfce0367bf894bf917f6ed7118e7f0%40%3Cissues.hive.apache.org%3E"},{"name":"[hive-issues] 20210317 [jira] [Work logged] (HIVE-24890) Upgrade to cron-utils 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r737406bc17d49ffe8fe6a8828d390ee0a02e45e5a5b4f931180b9a93%40%3Cissues.hive.apache.org%3E"},{"name":"[hive-gitbox] 20210317 [GitHub] [hive] yongzhi merged pull request #2081: HIVE-24890: Upgrade the cron-utils library from 8.1.1 to 9.1.3 due to CVE-2020-26238","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r390bb7630b7ea8f02bf7adbbe69c0ae8b562c527d663c543d965f959%40%3Cgitbox.hive.apache.org%3E"}]}]},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2020-26238","datePublished":"2020-11-24T23:50:12.000Z","dateReserved":"2020-10-01T00:00:00.000Z","dateUpdated":"2024-08-04T15:56:04.555Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}