Lucene search

GoogleOSV:CVE-2024-42362

HistoryAug 20, 2024 - 9:15 p.m.

CVE-2024-42362

2024-08-2021:15:14

Google

osv.dev

hertzbeat real-time monitoring system authenticated rce unsafe deserialization fixed 1.6.0

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

Low

EPSS

0.001

Percentile

51.5%

JSON

Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. This vulnerability is fixed in 1.6.0.

References

github.com/apache/hertzbeat/commit/79f5408e345e8e89da97be05f43e3204a950ddfb

github.com/apache/hertzbeat/commit/9dbbfb7812fc4440ba72bdee66799edd519d06bb

github.com/apache/hertzbeat/pull/1611

github.com/apache/hertzbeat/pull/1620

github.com/apache/hertzbeat/pull/1620/files#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8

securitylab.github.com/advisories/GHSL-2023-254_GHSL-2023-256_HertzBeat/

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

Low

EPSS

0.001

Percentile

51.5%

JSON

Related for OSV:CVE-2024-42362