Vulnerabilities > CVE-2020-1964 - Deserialization of Untrusted Data vulnerability in Apache Heron 0.20.0Incubating/0.20.1Incubating/0.20.2Incubating

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
apache
CWE-502
critical
NVD
Published: 2020-04-16
Updated: 2023-11-07

Summary

It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).

Vulnerable Configurations

Part Description Count
Application
Apache
3

Common Weakness Enumeration (CWE)

References