Описание
It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).
Ссылки
- Mailing ListVendor Advisory
- Mailing ListVendor Advisory
Уязвимые конфигурации
Конфигурация 1
Одно из
cpe:2.3:a:apache:heron:0.20.0-incubating:*:*:*:*:*:*:*
cpe:2.3:a:apache:heron:0.20.1-incubating:-:*:*:*:*:*:*
cpe:2.3:a:apache:heron:0.20.2-incubating:*:*:*:*:*:*:*
EPSS
Процентиль: 93%
0.09859
Низкий
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-502
Связанные уязвимости
CVSS3: 9.8
github
около 4 лет назад
Deserialization of Untrusted Data in Apache Heron
EPSS
Процентиль: 93%
0.09859
Низкий
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-502