Heron versions <= 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements. Please update to version 0.20.5-incubating which addresses this issue.
{
"cwe_ids": [
"CWE-116"
],
"github_reviewed_at": "2022-10-25T20:22:49Z",
"github_reviewed": true,
"nvd_published_at": "2022-10-24T14:15:00Z",
"severity": "CRITICAL"
}