CVE-2021-41269

Unauthenticated remote code injection in cron-utils

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected. The issue was patched and a new version was released. Please upgrade to version 9.1.6. There are no known workarounds known.

cron-utils es una biblioteca de Java para definir, analizar, comprender y migrar crons, así como para conseguir descripciones legibles para ellos. En las versiones afectadas se ha identificado una inyección de plantillas en cron-utils que permitía a atacantes inyectar expresiones EL de Java arbitrarias, conllevando a una vulnerabilidad de ejecución de código remota (RCE) no autenticada. Las versiones hasta la 9.1.2 son susceptibles a esta vulnerabilidad. Tenga en cuenta que sólo están afectados los proyectos que usan la anotación @Cron para comprender expresiones Cron no confiables. El problema ha sido parcheado y se ha publicado una nueva versión. Por favor, actualice a la versión 9.1.6. No se conocen soluciones

A flaw was found in cron-utils. This flaw allows an attacker to perform unauthenticated Remote Code Execution (RCE) via Java Expression Language (EL) injection.

This release of Red Hat Integration - Service registry 2.3.0.GA serves as a replacement for 2.0.3.GA, and includes the below security fixes. Issues addressed include code execution, cross site scripting, denial of service, deserialization, and privilege escalation vulnerabilities.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-09-15 CVE Reserved
2021-11-15 CVE Published
2024-08-04 CVE Updated
2024-08-04 First Exploit
2025-02-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (6)

URL	Tag	Source
https://github.com/jmrozanec/cron-utils/security/advisories/GHSA-p9m8-27x8-rg87	Third Party Advisory

URL	Date	SRC
https://github.com/jmrozanec/cron-utils/issues/461	2024-08-04

URL	Date	SRC
https://github.com/jmrozanec/cron-utils/commit/cfd2880f80e62ea74b92fa83474c2aabdb9899da	2021-11-19
https://github.com/jmrozanec/cron-utils/commit/d6707503ec2f20947f79e38f861dba93b39df9da	2021-11-19

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2021-41269	2022-10-06
https://bugzilla.redhat.com/show_bug.cgi?id=2024632	2022-10-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cron-utils Project Search vendor "Cron-utils Project"		Cron-utils Search vendor "Cron-utils Project" for product "Cron-utils"				< 9.1.6 Search vendor "Cron-utils Project" for product "Cron-utils" and version " < 9.1.6"		-		Affected