GHSA-hjgm-f7vx-m5g7, CVE-2020-1964
maven/org.apache.heron/heron-simulator
Deserialization of Untrusted Data
It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).
All versions starting from 0.20.0-incubating up to 0.20.2-incubating
Upgrade to version 0.20.3-incubating or above.
2022-01-11
source |