CVE-2020-1964

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
9.8CRITICAL
EPSS
9.9%
top 7.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Heron
Timeline
PublishedApr 16
Latest updateJan 6

Description

It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

Mavenorg.apache.heron:heron-simulator0.20.0-incubating0.20.3-incubating
CVEListV5apache_heronApache Heron 0.20.2-incubating, Release 0.20.1-incubating, Release v-0.20.0-incubating
NVDapache/heron0.20.0-incubating, 0.20.1-incubating, 0.20.2-incubating+2

🔴Vulnerability Details

3
GHSA
Deserialization of Untrusted Data in Apache Heron2022-01-06
OSV
Deserialization of Untrusted Data in Apache Heron2022-01-06
CVEList
CVE-2020-1964: It was noticed that Apache Heron 02020-04-16
CVE-2020-1964 (CRITICAL CVSS 9.8) | It was noticed that Apache Heron 0. | cvebase.io