Heron

heron

Vendor: Apache • 3 CVEs

CVEs (3)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-42010 1Apache 1Heron May 7, 2025 Oct 24, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Heron versions <= 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements. Please update to version 0.20.5-incubating which addresses this issue.
CVE-2020-1964 1Apache 1Heron Nov 21, 2024 Apr 16, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote cod...Show more It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).Show less
CVE-2018-11789 1Apache 1Heron Nov 21, 2024 Mar 21, 2019 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 When accessing the heron-ui webpage, people can modify the file paths outside of the current container to access any file on the host. Example woule be modifying the parameter path= to go to the directory you would like...Show more When accessing the heron-ui webpage, people can modify the file paths outside of the current container to access any file on the host. Example woule be modifying the parameter path= to go to the directory you would like to view. i.e. ..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd.Show less