Lucene search

ApacheCVE-2024-42323

HistorySep 21, 2024 - 10:15 a.m.

CVE-2024-42323

2024-09-2110:15:06

CWE-502

apache

web.nvd.nist.gov

cve-2024-42323

snakeyaml

deser load

malicious xml

rce

vulnerability

apache hertzbeat

authorized attackers

upgrade

version 1.6.0

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

High

EPSS

Percentile

9.6%

JSON

SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating).

This vulnerability can only be exploited by authorized attackers.
This issue affects Apache HertzBeat (incubating): before 1.6.0.

Users are recommended to upgrade to version 1.6.0, which fixes the issue.

Affected configurations

Vulners

Vulnrichment

Node

apachehertzbeatRange≤1.6.0

VendorProductVersionCPE
apachehertzbeat*cpe:2.3:a:apache:hertzbeat:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	hertzbeat	*	cpe:2.3:a:apache:hertzbeat::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache HertzBeat",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "1.6.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

References

lists.apache.org/thread/dwpwm572sbwon1mknlwhkpbom2y7skbx

lists.apache.org/thread/r0c4tost4bllqc1n9q6rmzs1slgsq63t

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

High

EPSS

Percentile

9.6%

JSON

Related for CVE-2024-42323