Lucene search

GitHub_MCVE-2024-42362

HistoryAug 20, 2024 - 9:15 p.m.

CVE-2024-42362

2024-08-2021:15:14

CWE-502

GitHub_M

web.nvd.nist.gov

hertzbeat

real-time monitoring

authenticated rce

vulnerability

fixed

version 1.6.0

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

51.5%

JSON

Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. This vulnerability is fixed in 1.6.0.

Affected configurations

Nvd

Vulners

Vulnrichment

Node

apachehertzbeatRange<1.6.0

VendorProductVersionCPE
apachehertzbeat*cpe:2.3:a:apache:hertzbeat:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	hertzbeat	*	cpe:2.3:a:apache:hertzbeat::::::::

CNA Affected

[
  {
    "vendor": "Apache",
    "product": "HertzBeat",
    "versions": [
      {
        "version": "< 1.6.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/apache/hertzbeat/commit/79f5408e345e8e89da97be05f43e3204a950ddfb

github.com/apache/hertzbeat/commit/9dbbfb7812fc4440ba72bdee66799edd519d06bb

github.com/apache/hertzbeat/pull/1611

github.com/apache/hertzbeat/pull/1620

github.com/apache/hertzbeat/pull/1620/files#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8

securitylab.github.com/advisories/GHSL-2023-254_GHSL-2023-256_HertzBeat/

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

51.5%

JSON

Related for CVE-2024-42362