CVE-2021-41269: Unauthenticated remote code injection in cron-utils

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2021-41269

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Unauthenticated remote code injection in cron-utils

Source: NVD (National Vulnerability Database)

Vulnerability Description

cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected. The issue was patched and a new version was released. Please upgrade to version 9.1.6. There are no known workarounds known.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

对生成代码的控制不恰当(代码注入)

Source: NVD (National Vulnerability Database)

Vulnerability Title

Cron Utils 代码注入漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Cron Utils是Jmrozanec个人开发者的一个用于验证、解析、迁移 Cron 表达式的Java代码库。 Cron Utils 存在代码注入漏洞，攻击者能够注入任意Java EL表达式来执行远程代码。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
jmrozanec	cron-utils	< 9.1.6	-

II. Public POCs for CVE-2021-41269

#	POC Description	Source Link	Shenlong Link
1	None	https://github.com/shoucheng3/jmrozanec__cron-utils_CVE-2021-41269_9-1-5	POC Details
2	None	https://github.com/andikahilmy/CVE-2021-41269-cron-utils-vulnerable	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2021-41269

Please Login to view more intelligence information

https://github.com/jmrozanec/cron-utils/issues/461x_refsource_MISC
https://github.com/jmrozanec/cron-utils/commit/cfd2880f80e62ea74b92fa83474c2aabdb9899dax_refsource_MISC
https://github.com/jmrozanec/cron-utils/security/advisories/GHSA-p9m8-27x8-rg87x_refsource_CONFIRM
https://github.com/jmrozanec/cron-utils/commit/d6707503ec2f20947f79e38f861dba93b39df9dax_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2021-41269

IV. Related Vulnerabilities

Same product: cron-utils

CVE-2020-26238
Critical vulnerability found in cron-utils

Same vendor: jmrozanec

CVE-2020-26238
Critical vulnerability found in cron-utils

Same weakness: CWE-94

V. Comments for CVE-2021-41269

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2021-41269

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2021-41269

III. Intelligence Information for CVE-2021-41269

IV. Related Vulnerabilities

V. Comments for CVE-2021-41269

Leave a comment