Apache: >> Heron >> 0.20.2-incubating Security Vulnerabilities
Heron versions <= 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements. Please update to version 0.20.5-incubating which addresses this issue.
CVSS Score
9.8
EPSS Score
0.002
Published
2022-10-24
It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).
CVSS Score
9.8
EPSS Score
0.099
Published
2020-04-16