CVE-2023-51389

Hertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. Version 1.4.1 fixes this vulnerability.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17	Patch
https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96	Exploit Vendor Advisory
https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17	Patch
https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:hertzbeat:*:*:*:*:*:*:*:*

History

16 Jan 2025, 19:08

Type	Values Removed	Values Added
References	~~() https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17 -~~	() https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17 - Patch
References	~~() https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96 -~~	() https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96 - Exploit, Vendor Advisory
CPE		cpe:2.3:a:apache:hertzbeat::::::::
First Time		Apache Apache hertzbeat

21 Nov 2024, 08:38

Type	Values Removed	Values Added
References	~~() https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17 -~~	() https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17 -
References	~~() https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96 -~~	() https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96 -
Summary		(es) Hertzbeat es un sistema de monitorización en tiempo real. En la interfaz de `/define/yml`, SnakeYAML se usa como analizador para analizar el contenido yml, pero no se usa ninguna configuración de seguridad, lo que genera una vulnerabilidad de deserialización de YAML. La versión 1.4.1 corrige esta vulnerabilidad.

22 Feb 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-22 16:15

Updated : 2025-01-16 19:08

NVD link : CVE-2023-51389

Mitre link : CVE-2023-51389

CVE.ORG link : CVE-2023-51389

JSON object : View

Products Affected

apache

hertzbeat

CWE

CWE-502

Deserialization of Untrusted Data

9.8 /10