oss-sec mailing list archives
CVE-2020-1964: Apache Heron (incubating) information disclosure vulnerability
From: Josh Fischer <josh () joshfischer io>
Date: Wed, 15 Apr 2020 22:59:22 -0500
CVE-2020-1964: Apache Heron (incubating) information disclosure vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: 0.20.2-incubating 0.20.1-incubating v-0.20.0-incubating Description: In versions 0.20.2-incubating and before in Apache Heron does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data). Mitigation: 0.20.2-incubating and previous users should build from the current HEAD of master. A vote has been started for a new release 0.20.3-incubating which will include the fix. Credit: This vulnerability was discovered by Frederic Vleminckx Regards, The Apache Heron (Incubating) Team
Current thread:
- CVE-2020-1964: Apache Heron (incubating) information disclosure vulnerability Josh Fischer (Apr 15)