Lucene search

[email protected]NVD:CVE-2024-42362

HistoryAug 20, 2024 - 9:15 p.m.

CVE-2024-42362

2024-08-2021:15:14

CWE-502

[email protected]

web.nvd.nist.gov

hertzbeat

monitoring system

authenticated

rce

unsafe deserialization

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

51.5%

JSON

Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. This vulnerability is fixed in 1.6.0.

Affected configurations

Nvd

Node

apachehertzbeatRange<1.6.0

VendorProductVersionCPE
apachehertzbeat*cpe:2.3:a:apache:hertzbeat:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	hertzbeat	*	cpe:2.3:a:apache:hertzbeat::::::::

References

github.com/apache/hertzbeat/commit/79f5408e345e8e89da97be05f43e3204a950ddfb

github.com/apache/hertzbeat/commit/9dbbfb7812fc4440ba72bdee66799edd519d06bb

github.com/apache/hertzbeat/pull/1611

github.com/apache/hertzbeat/pull/1620

github.com/apache/hertzbeat/pull/1620/files#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8

securitylab.github.com/advisories/GHSL-2023-254_GHSL-2023-256_HertzBeat/

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

51.5%

JSON

Related for NVD:CVE-2024-42362

vulnrichment1 osv1 cvelist1 cve1