CVE-2021-42010
CRITICALApache Heron <= 0.20.4-incubating - CRLF Log Injection
Title source: llmDescription
Heron versions <= 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements. Please update to version 0.20.5-incubating which addresses this issue.
References (2)
Core 2
Core References
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2022/10/23/2
Mailing List, Vendor Advisory
https://lists.apache.org/thread/j65nwr8n7jchngwqptzh100drcr4ry2q
Scores
CVSS v3
9.8
EPSS
0.0179
EPSS Percentile
83.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-116
Status
published
Products (2)
apache/heron
< 0.20.5-incubating
org.apache.heron/heron-api
0 - 0.20.5-incubatingMaven
Published
Oct 24, 2022
Tracked Since
Feb 18, 2026