Miggo Logo
Miggo Vulnerability Database
CVE-2021-42010

CVE-2021-42010: Heron allows CRLF log injection

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-42010
GHSA ID
GHSA-95w5-q9vp-5vrm
EPSS Score
0.47627%
CWE
CWE-116
Published
10/24/2022
Updated
8/17/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.heron:heron-apimaven< 0.20.5-incubating0.20.5-incubating

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped log statements in Heron's API components. Based on:

  1. The CWE-116 classification indicating output encoding issues
  2. Heron's Java architecture patterns where logging utilities are centralized
  3. Common vulnerability patterns in logging frameworks where user input is directly concatenated into log messages
  4. The package structure (org.apache.heron.api) being the affected component While specific code changes aren't visible, the critical logging function (LoggingUtils.log) is a prime candidate as central logging infrastructure would handle message formatting. TopologyBuilder.createTopology is included with lower confidence due to its role in handling user-provided topology configurations that might be logged.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**ron v*rsions <= *.**.*-in*u**tin* *llows *RL* lo* inj**tion ****us* o* t** l**k o* *s**pin* in t** lo* st*t*m*nts. Pl**s* up**t* to v*rsion *.**.*-in*u**tin* w*i** ***r*ss*s t*is issu*.

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** lo* st*t*m*nts in **ron's *PI *ompon*nts. **s** on: *. T** *W*-*** *l*ssi*i**tion in*i**tin* output *n*o*in* issu*s *. **ron's J*v* *r**it**tur* p*tt*rns w**r* lo**in* utiliti*s *r* **ntr*liz** *. *ommon vuln*r*