Apache Heron
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apache Heron.
By the Year
In 2025 there have been 0 vulnerabilities in Apache Heron. Heron did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 1 | 9.80 |
| 2021 | 0 | 0.00 |
| 2020 | 1 | 9.80 |
| 2019 | 1 | 7.50 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Heron vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Heron Security Vulnerabilities
Heron versions <= 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements
CVE-2021-42010
9.8 - Critical
- October 24, 2022
Heron versions <= 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements. Please update to version 0.20.5-incubating which addresses this issue.
Output Sanitization
It was noticed that Apache Heron 0.20.2-incubating
CVE-2020-1964
9.8 - Critical
- April 16, 2020
It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).
Marshaling, Unmarshaling
When accessing the heron-ui webpage, people can modify the file paths outside of the current container to access any file on the host
CVE-2018-11789
7.5 - High
- March 21, 2019
When accessing the heron-ui webpage, people can modify the file paths outside of the current container to access any file on the host. Example woule be modifying the parameter path= to go to the directory you would like to view. i.e. ..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd.
Directory traversal
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Heron or by Apache? Click the Watch button to subscribe.
