Vulnerability Description
It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Heron | 0.20.0-incubating |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread.html/r16dd39f4180e4443ef4ca774a3a5a3d7ac69f91812Mailing ListVendor Advisory
- https://lists.apache.org/thread.html/rd43ae18588fd7bdb375be63bc95a651aab319ced63
- https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612
- https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612
- https://lists.apache.org/thread.html/rf032a13a4711f88c0a2c0734eecbee1026cc1b6cde
- https://lists.apache.org/thread.html/r16dd39f4180e4443ef4ca774a3a5a3d7ac69f91812Mailing ListVendor Advisory
- https://lists.apache.org/thread.html/rd43ae18588fd7bdb375be63bc95a651aab319ced63
- https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612
- https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612
- https://lists.apache.org/thread.html/rf032a13a4711f88c0a2c0734eecbee1026cc1b6cde
FAQ
What is CVE-2020-1964?
CVE-2020-1964 is a vulnerability with a CVSS score of 9.8 (CRITICAL). It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resul...
How severe is CVE-2020-1964?
CVE-2020-1964 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-1964?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Heron.