Hertzbeat is a real-time monitoring system. In `CalculateAlarm.java`, `AviatorEvaluator` is used to directly execute the expression function, and no security policy is configured, resulting in AviatorScript (which can execute any static method by default) script injection. Version 1.4.1 fixes this vulnerability.
References
Configurations
History
16 Jan 2025, 19:11
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/dromara/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1d3d2 - Patch | |
| References | () https://github.com/dromara/hertzbeat/security/advisories/GHSA-mcqg-gqxr-hqgj - Exploit, Vendor Advisory | |
| CPE | cpe:2.3:a:apache:hertzbeat:*:*:*:*:*:*:*:* | |
| First Time |
Apache hertzbeat
Apache |
21 Nov 2024, 08:38
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/dromara/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1d3d2 - | |
| References | () https://github.com/dromara/hertzbeat/security/advisories/GHSA-mcqg-gqxr-hqgj - |
22 Feb 2024, 16:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2024-02-22 16:15
Updated : 2025-01-16 19:11
NVD link : CVE-2023-51388
Mitre link : CVE-2023-51388
CVE.ORG link : CVE-2023-51388
JSON object : View
Products Affected
apache
- hertzbeat
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')