9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-1964

GHSA ID

GHSA-hjgm-f7vx-m5g7

EPSS Score

0.9326%

CWE

CWE-502

Published

1/6/2022

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-1964

CVE-2020-1964:
Deserialization of Untrusted Data in Apache Heron

It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-1964

GHSA ID

GHSA-hjgm-f7vx-m5g7

EPSS Score

0.9326%

CWE

CWE-502

Published

1/6/2022

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.heron:heron-simulator	maven	>= 0.20.0-incubating, <= 0.20.2-incubating	0.20.3-incubating

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsafe YAML deserialization in Apache Heron's simulator component. While explicit patch details are unavailable, the CVE description explicitly identifies missing YAML parser security configurations as the root cause. In Java/YAML vulnerabilities, the critical functions are typically:

The YAML loading/parsing entry point (loadFromString)
The parser initialization method (createYaml)

These would appear in runtime profiles during exploitation as they directly handle untrusted data deserialization. The high confidence for loadFromString aligns with standard YAML attack patterns, while createYaml receives medium confidence as the configuration point that should enforce SafeConstructor usage.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

It w*s noti*** t**t *p**** **ron *.**.*-in*u**tin*, R*l**s* *.**.*-in*u**tin*, *n* R*l**s* v-*.**.*-in*u**tin* *o*s not *on*i*ur* its Y*ML p*rs*r to pr*v*nt t** inst*nti*tion o* *r*itr*ry typ*s, r*sultin* in * r*mot* *o** *x**ution vuln*r**iliti*s (*

Reasoning

T** vuln*r**ility st*ms *rom uns*** Y*ML **s*ri*liz*tion in *p**** **ron's simul*tor *ompon*nt. W*il* *xpli*it p*t** **t*ils *r* un*v*il**l*, t** *V* **s*ription *xpli*itly i**nti*i*s missin* Y*ML p*rs*r s**urity *on*i*ur*tions *s t** root **us*. In

9.8

Basic Information

Concerned about an active attack path?

CVE-2020-1964: Deserialization of Untrusted Data in Apache Heron

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-1964:
Deserialization of Untrusted Data in Apache Heron

Vulnerability Intelligence
Miggo AI