Lucene search

GitHub_MCVELIST:CVE-2024-42362

HistoryAug 20, 2024 - 8:56 p.m.

CVE-2024-42362 GHSL-2023-255: HertzBeat Authenticated (user role) RCE via unsafe deserialization in /api/monitors/import

2024-08-2020:56:23

CWE-502

GitHub_M

www.cve.org

hertzbeat

authenticated rce

unsafe deserialization

monitors import

user role

fixed vulnerability

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

51.5%

JSON

Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. This vulnerability is fixed in 1.6.0.

CNA Affected

[
  {
    "vendor": "Apache",
    "product": "HertzBeat",
    "versions": [
      {
        "version": "< 1.6.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/apache/hertzbeat/commit/79f5408e345e8e89da97be05f43e3204a950ddfb

github.com/apache/hertzbeat/commit/9dbbfb7812fc4440ba72bdee66799edd519d06bb

github.com/apache/hertzbeat/pull/1611

github.com/apache/hertzbeat/pull/1620

github.com/apache/hertzbeat/pull/1620/files#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8

securitylab.github.com/advisories/GHSL-2023-254_GHSL-2023-256_HertzBeat/

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

51.5%

JSON

Related for CVELIST:CVE-2024-42362