Filtered by vendor Apache
Subscriptions
Filtered by product Heron
Subscriptions
Total
3 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-11789 | 1 Apache | 1 Heron | 2024-08-05 | N/A |
| When accessing the heron-ui webpage, people can modify the file paths outside of the current container to access any file on the host. Example woule be modifying the parameter path= to go to the directory you would like to view. i.e. ..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd. | ||||
| CVE-2020-1964 | 1 Apache | 1 Heron | 2024-08-04 | 9.8 Critical |
| It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data). | ||||
| CVE-2021-42010 | 1 Apache | 1 Heron | 2024-08-04 | 9.8 Critical |
| Heron versions <= 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements. Please update to version 0.20.5-incubating which addresses this issue. | ||||
Page 1 of 1.