CVE-2020-1964

Deserialization of Untrusted Data in maven/org.apache.heron/heron-simulator

Identifiers

GHSA-hjgm-f7vx-m5g7, CVE-2020-1964

Package Slug

maven/org.apache.heron/heron-simulator

Vulnerability

Deserialization of Untrusted Data

Description

It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).

Affected Versions

All versions starting from 0.20.0-incubating up to 0.20.2-incubating

Solution

Upgrade to version 0.20.3-incubating or above.

Last Modified

2022-01-11

source