Apache Heron
By the Year
In 2023 there have been 0 vulnerabilities in Apache Heron . Last year Heron had 1 security vulnerability published. Right now, Heron is on track to have less security vulnerabilities in 2023 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 0 | 0.00 |
| 2022 | 1 | 9.80 |
| 2021 | 0 | 0.00 |
| 2020 | 1 | 9.80 |
| 2019 | 1 | 7.50 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Heron vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Heron Security Vulnerabilities
Heron versions <= 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements
CVE-2021-42010
9.8 - Critical
- October 24, 2022
Heron versions <= 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements. Please update to version 0.20.5-incubating which addresses this issue.
Injection
It was noticed that Apache Heron 0.20.2-incubating
CVE-2020-1964
9.8 - Critical
- April 16, 2020
It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).
Marshaling, Unmarshaling
When accessing the heron-ui webpage, people can modify the file paths outside of the current container to access any file on the host
CVE-2018-11789
7.5 - High
- March 21, 2019
When accessing the heron-ui webpage, people can modify the file paths outside of the current container to access any file on the host. Example woule be modifying the parameter path= to go to the directory you would like to view. i.e. ..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd.
Directory traversal
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Heron or by Apache? Click the Watch button to subscribe.
