VYPR
← All advisories
Critical severityNVD Advisory· Published Nov 24, 2020· Updated Aug 4, 2024

Critical vulnerability found in cron-utils

CVE-2020-26238

Description

Cron-utils before 9.1.3 has a template injection vulnerability in the @Cron annotation, allowing unauthenticated remote code execution via crafted cron expressions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cron-utils before 9.1.3 has a template injection vulnerability in the @Cron annotation, allowing unauthenticated remote code execution via crafted cron expressions.

Vulnerability

Overview

Cron-utils is a Java library for parsing and validating cron expressions. In versions prior to 9.1.3, a template injection vulnerability exists when the @Cron annotation is used to validate untrusted cron expressions. The library fails to sanitize user-supplied cron strings, allowing attackers to inject arbitrary Java Expression Language (EL) expressions. This flaw is rooted in the use of a vulnerable Hibernate Validator dependency that processes EL expressions during validation [1][4].

Exploitation

An attacker can exploit this vulnerability by providing a malicious cron expression to any application that uses the @Cron annotation for validation. No authentication is required; the attacker only needs to supply a crafted input that includes EL syntax. The expression is then evaluated by the Java EL engine, leading to code execution in the context of the application server [1][4].

Impact

Successful exploitation results in unauthenticated remote code execution (RCE). An attacker can execute arbitrary commands, potentially gaining full control over the affected system. The severity is critical, as the vulnerability can be triggered without any prior access [1][4].

Mitigation

The issue has been patched in cron-utils version 9.1.3. The fix involved replacing the Hibernate Validator dependency with Apache BVal, which does not evaluate EL expressions in the same insecure manner [3]. Users are strongly advised to upgrade to version 9.1.3 or later. No workarounds are available [4].

References
  1. NVD - CVE-2020-26238
  2. Update dependencies to fix security vulnerability. · jmrozanec/cron-utils@4cf373f
  3. Critical vulnerability found in cron-utils

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.cronutils:cron-utilsMaven
< 9.1.39.1.3

Affected products

2

Patches

1
4cf373f7352f

Update dependencies to fix security vulnerability.

https://github.com/jmrozanec/cron-utilsJoze RozanecNov 17, 2020via ghsa
commit
1 file changed · +4 3
  • pom.xml+4 3 modified
    @@ -121,11 +121,12 @@
             <scope>test</scope>
         </dependency>
         <dependency>
-            <groupId>org.hibernate</groupId>
-            <artifactId>hibernate-validator</artifactId>
+            <groupId>org.apache.bval</groupId>
+            <artifactId>bval-jsr</artifactId>
+            <version>1.1.2</version>
+            <!--The Hibernate dependency is no longer used, due to security vulnerabilities -->
             <!-- https://stackoverflow.com/questions/48323244/java-lang-nosuchmethoderror-javax-validation-bootstrapconfiguration-getclockproExecutionTimeQuartzIntegrationTest -->
             <!-- https://stackoverflow.com/questions/24386771/javax-validation-validationexception-hv000183-unable-to-load-javax-el-express -->
-            <version>5.3.6.Final</version>
             <scope>test</scope>
         </dependency>
         <dependency>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

25

News mentions

0

No linked articles in our index yet.