CVE-2020-1964

high-risk
Published 2020-04-16

It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).

Do I need to act?

~
9.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (3)

Heron
Heron
Heron

Affected Vendors

Apache

References (10)

Mailing List https://lists.apache.org/thread.html/r16dd39f4180e4443ef4ca774a3a5a3d7ac69f91812...
https://lists.apache.org/thread.html/rd43ae18588fd7bdb375be63bc95a651aab319ced63...
https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612...
https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612...
https://lists.apache.org/thread.html/rf032a13a4711f88c0a2c0734eecbee1026cc1b6cde...
Mailing List https://lists.apache.org/thread.html/r16dd39f4180e4443ef4ca774a3a5a3d7ac69f91812...
https://lists.apache.org/thread.html/rd43ae18588fd7bdb375be63bc95a651aab319ced63...
https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612...
https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612...
https://lists.apache.org/thread.html/rf032a13a4711f88c0a2c0734eecbee1026cc1b6cde...
52
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 11/34 · Low
Exposure 9/34 · Low