Bo Yu

**Name of the Vulnerable Software and Affected Versions** Heron versions <= 0.20.4-incubating **Description** The issue is related to CRLF log injection due to the lack of escaping in log statements. This allows for potential log manipulation. To address this, an update to version 0.20.5-incubating is recommended, as it contains the necessary fixes. **Recommendations** For Heron versions <= 0.20.4-incubating, update to version 0.20.5-incubating to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache Kylin 2 versions 2.6.6 and prior Apache Kylin 3 versions 3.1.2 and prior Apache Kylin 4 versions 4.0.0 and prior **Description** The issue is related to the use of `Class.forName(...)` which can load any class based on user input. This can potentially allow a remote attacker to impact the confidentiality, integrity, and availability of information. The vulnerability is associated with the application of external control input to select classes. **Recommendations** For Apache Kylin 2 versions 2.6.6 and prior, update to a version later than 2.6.6. For Apache Kylin 3 versions 3.1.2 and prior, update to a version later than 3.1.2. For Apache Kylin 4 versions 4.0.0 and prior, update to a version later than 4.0.0. As a temporary workaround, consider restricting the use of the `Class.forName(...)` function to minimize the risk of exploitation.