[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 15 Apr 2020 22:59:22 -0500
From: Josh Fischer <josh@...hfischer.io>
To: oss-security@...ts.openwall.com
Subject: CVE-2020-1964: Apache Heron (incubating) information disclosure vulnerability
CVE-2020-1964: Apache Heron (incubating) information disclosure
vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
0.20.2-incubating
0.20.1-incubating
v-0.20.0-incubating
Description:
In versions 0.20.2-incubating and before in Apache Heron does not
configure its YAML parser to prevent the instantiation of arbitrary
types, resulting in remote code execution vulnerabilities (CWE-502:
Deserialization of Untrusted Data).
Mitigation:
0.20.2-incubating and previous users should build from the current HEAD of
master.
A vote has been started for a new release 0.20.3-incubating which will
include the fix.
Credit:
This vulnerability was discovered by Frederic Vleminckx
Regards,
The Apache Heron (Incubating) Team
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
