[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2020-1964: Apache Heron (incubating) information disclosure vulnerability
From:       Josh Fischer <josh () joshfischer ! io>
Date:       2020-04-16 3:59:22
Message-ID: CAFkuAo1KHC_=9a5CepfMVooTOzfqFg0MODus-PR5QzyzBxOp=g () mail ! gmail ! com
[Download RAW message or body]


CVE-2020-1964: Apache Heron (incubating) information disclosure
vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
0.20.2-incubating
0.20.1-incubating
v-0.20.0-incubating

Description:
In versions 0.20.2-incubating and before in Apache Heron does not
configure its YAML parser to prevent the instantiation of arbitrary
types, resulting in remote code execution vulnerabilities (CWE-502:
Deserialization of Untrusted Data).

Mitigation:
0.20.2-incubating and previous users should build from the current HEAD of
master.
A vote has been started for a new release 0.20.3-incubating which will
include the fix.

Credit:
This vulnerability was discovered by Frederic Vleminckx

Regards,

The Apache Heron (Incubating) Team


[prev in list] [next in list] [prev in thread] [next in thread]