[CVE-2018-11789] Apache Incubator Heron file access vulnerability

[Neng Lu <freeneng () gmail com>]

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Heron 0.13.0 to 0.17.8

Description:
When accessing the heron-ui webpage, people can modify the file paths
outside of the current container to access any file on the host.

Mitigation:
All Heron users should upgrade to 0.20.0-incubating

Example:
modify the parameter path= to go to the directory you would like to view.
i.e. ..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

Credit:
This issue was discovered by Windham Wong of stormeye.io

-- 
Best Regards,
Neng