CVE-2020-1964
CRITICALApache Heron 0.20.0-incubating-0.20.2-incubating - Remote Code Execution via YAML Deserialization
Title source: llmDescription
It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).
References (5)
Core 5
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread.html/r16dd39f4180e4443ef4ca774a3a5a3d7ac69f91812c183ed2a99e959%40%3Cdev.heron.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rf032a13a4711f88c0a2c0734eecbee1026cc1b6cde27d16a653f8755%40%3Cdev.ignite.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rd43ae18588fd7bdb375be63bc95a651aab319ced6306759e1237ce67%40%3Cdev.ignite.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612d1a0fdd30beb94%40%3Cdev.ignite.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612d1a0fdd30beb94%40%3Cuser.ignite.apache.org%3E
Scores
CVSS v3
9.8
EPSS
0.0986
EPSS Percentile
93.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (4)
apache/heron
0.20.0-incubating
apache/heron
0.20.1-incubating
apache/heron
0.20.2-incubating
org.apache.heron/heron-simulator
0.20.0-incubating - 0.20.3-incubatingMaven
Published
Apr 16, 2020
Tracked Since
Feb 18, 2026