CVE-2024-41151 – Apache HertzBeat: RCE by notice template injection vulnerability
https://notcve.org/view.php?id=CVE-2024-41151
Deserialization of Untrusted Data vulnerability in Apache HertzBeat. This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat: before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue. • https://lists.apache.org/thread/oor9nw6nh2ojnfw8d8oxrv40cbtk5mwj https://lists.apache.org/thread/p33tg0vo5nh6kscth4262ktsqo3h5lqo • CWE-502: Deserialization of Untrusted Data •
CVE-2024-45791 – Apache HertzBeat: Exposure sensitive token via http GET method with query string
https://notcve.org/view.php?id=CVE-2024-45791
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat: before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue. • https://lists.apache.org/thread/jmbsfjsvrfnvosh1ftrm3ry4j3sb7doz https://lists.apache.org/thread/lvsczrp8kdynppmzyxtkh4ord4gpw1ph • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2024-45505 – Apache HertzBeat: Exists Native Deser RCE and file writing vulnerabilities
https://notcve.org/view.php?id=CVE-2024-45505
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (incubating). This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat (incubating): before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue. • https://lists.apache.org/thread/gvbc68krhqhht7mkkkx7k13k6k6fdhy0 https://lists.apache.org/thread/h8k14o1bfyod66p113pkgnt1s52p6p19 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2024-42323 – Apache HertzBeat: RCE by snakeYaml deser load malicious xml
https://notcve.org/view.php?id=CVE-2024-42323
SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating). This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat (incubating): before 1.6.0. Users are recommended to upgrade to version 1.6.0, which fixes the issue. • https://lists.apache.org/thread/dwpwm572sbwon1mknlwhkpbom2y7skbx https://lists.apache.org/thread/r0c4tost4bllqc1n9q6rmzs1slgsq63t • CWE-502: Deserialization of Untrusted Data •
CVE-2024-42362 – GHSL-2023-255: HertzBeat Authenticated (user role) RCE via unsafe deserialization in /api/monitors/import
https://notcve.org/view.php?id=CVE-2024-42362
Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. This vulnerability is fixed in 1.6.0. • https://securitylab.github.com/advisories/GHSL-2023-254_GHSL-2023-256_HertzBeat https://github.com/apache/hertzbeat/pull/1611 https://github.com/apache/hertzbeat/pull/1620 https://github.com/apache/hertzbeat/pull/1620/files#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8 https://github.com/apache/hertzbeat/commit/79f5408e345e8e89da97be05f43e3204a950ddfb https://github.com/apache/hertzbeat/commit/9dbbfb7812fc4440ba72bdee66799edd519d06bb • CWE-502: Deserialization of Untrusted Data •