[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2020-1964: Apache Heron (incubating) information disclosure vulnerability
From: Josh Fischer <josh () joshfischer ! io>
Date: 2020-04-16 3:59:22
Message-ID: CAFkuAo1KHC_=9a5CepfMVooTOzfqFg0MODus-PR5QzyzBxOp=g () mail ! gmail ! com
[Download RAW message or body]
CVE-2020-1964: Apache Heron (incubating) information disclosure
vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
0.20.2-incubating
0.20.1-incubating
v-0.20.0-incubating
Description:
In versions 0.20.2-incubating and before in Apache Heron does not
configure its YAML parser to prevent the instantiation of arbitrary
types, resulting in remote code execution vulnerabilities (CWE-502:
Deserialization of Untrusted Data).
Mitigation:
0.20.2-incubating and previous users should build from the current HEAD of
master.
A vote has been started for a new release 0.20.3-incubating which will
include the fix.
Credit:
This vulnerability was discovered by Frederic Vleminckx
Regards,
The Apache Heron (Incubating) Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic