CVE-2021-41269: 
Java vulnerability analysis and mitigation

A template injection vulnerability was discovered in cron-utils (CVE-2021-41269), a Java library used to define, parse, validate, and migrate crons. The vulnerability affects versions up to 9.1.2 and enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE). The vulnerability specifically impacts projects using the @Cron annotation to validate untrusted Cron expressions (GitHub Advisory, NVD).

The vulnerability allows attackers to inject malicious Java EL expressions through cron expressions when using the @Cron annotation validation feature. The issue received a CVSS v3.1 base score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) from NVD, while GitHub assessed it with a score of 10.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The vulnerability is classified as CWE-94: Improper Control of Generation of Code ('Code Injection') (NVD).

The vulnerability enables unauthenticated attackers to execute arbitrary code remotely on affected systems through template injection. This could potentially lead to complete system compromise, as the attacker can achieve high levels of confidentiality, integrity, and availability impact (GitHub Advisory).

The vulnerability was patched in version 9.1.6 of cron-utils. Users are strongly advised to upgrade to this version or later. There are no known workarounds for affected versions (GitHub Advisory).