CVE编号
CVE-2020-26238利用情况
暂无补丁情况
N/A披露时间
2020-11-25漏洞描述
Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接 |
|
|---|---|
| https://github.com/jmrozanec/cron-utils/commit/4cf373f7352f5d95f0bf6512af8af3... | |
| https://github.com/jmrozanec/cron-utils/issues/461 | |
| https://github.com/jmrozanec/cron-utils/security/advisories/GHSA-pfj3-56hm-jwq5 | |
| https://lists.apache.org/thread.html/r390bb7630b7ea8f02bf7adbbe69c0ae8b562c52... | |
| https://lists.apache.org/thread.html/r432a69a1a85cbcb1f1bad2aa0fbfce0367bf894... | |
| https://lists.apache.org/thread.html/r50e1b5544c37e408ed7e9a958b28237b1cb9660... | |
| https://lists.apache.org/thread.html/r5f601d15292e3302ad0ae0e89527029546945b1... | |
| https://lists.apache.org/thread.html/r71083c759dc627f198571b3d48b6745fe798b1d... | |
| https://lists.apache.org/thread.html/r737406bc17d49ffe8fe6a8828d390ee0a02e45e... | |
| https://lists.apache.org/thread.html/r855aead591697dc2e85faf66c99036e49f49243... | |
| https://lists.apache.org/thread.html/r96937fc9c82f3201b59311c067e97bce7112394... | |
| https://lists.apache.org/thread.html/r9ae9a9fb1c8e2bf95c676e7e4cd06aa04f0a3a8... | |
| https://lists.apache.org/thread.html/ra9e81244d323898dde3c979dd7df6996e4037d1... |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | cron-utils_project | cron-utils | * |
Up to (excluding) 9.1.3 |
|||||
- 攻击路径 网络
- 攻击复杂度 高
- 权限要求 无
- 影响范围 未更改
- 用户交互 无
- 可用性 高
- 保密性 高
- 完整性 高
还没有评论,来说两句吧...