CVE-2021-42010

2022-10-2414:15:49

CWE-116

[email protected]

web.nvd.nist.gov

heron

cve-2021-42010

log injection

security update

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

78.1%

JSON

Heron versions <= 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements. Please update to version 0.20.5-incubating which addresses this issue.

Affected configurations

Vulners

NVD

Node

apacheheronRange≤0.20.4-incubating

CPENameOperatorVersion
apache:heronapache heronlt0.20.5-incubating

CPE	Name	Operator	Version
apache:heron	apache heron	lt	0.20.5-incubating

CNA Affected

[
  {
    "vendor": "Apache Software Foundation",
    "product": "Apache Heron (Incubating)",
    "versions": [
      {
        "version": "Apache Heron 0.20.4-incubating",
        "status": "affected",
        "lessThanOrEqual": "0.20.4-incubating",
        "versionType": "custom"
      }
    ]
  }
]