Lucene search

[email protected]CVE-2023-51389

HistoryFeb 22, 2024 - 4:15 p.m.

CVE-2023-51389

2024-02-2216:15:53

CWE-502

[email protected]

web.nvd.nist.gov

hertzbeat

real-time monitoring

yaml deserialization vulnerability

snakeyaml parser

nvd

cve-2023-51389

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Hertzbeat is a real-time monitoring system. At the interface of /define/yml, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. Version 1.4.1 fixes this vulnerability.

Affected configurations

Vulners

Node

dromarahertzbeatRange<1.4.1

VendorProductVersionCPE
dromarahertzbeat*cpe:2.3:a:dromara:hertzbeat:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
dromara	hertzbeat	*	cpe:2.3:a:dromara:hertzbeat::::::::

CNA Affected

[
  {
    "vendor": "dromara",
    "product": "hertzbeat",
    "versions": [
      {
        "version": "< 1.4.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17

github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for CVE-2023-51389

osv1 cvelist1 prion1 nvd1