6 results (0.006 seconds)

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

Hertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. Version 1.4.1 fixes this vulnerability. Hertzbeat es un sistema de monitorización en tiempo real. En la interfaz de `/define/yml`, SnakeYAML se usa como analizador para analizar el contenido yml, pero no se usa ninguna configuración de seguridad, lo que genera una vulnerabilidad de deserialización de YAML. • https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17 https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96 • CWE-502: Deserialization of Untrusted Data •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

Hertzbeat is a real-time monitoring system. In `CalculateAlarm.java`, `AviatorEvaluator` is used to directly execute the expression function, and no security policy is configured, resulting in AviatorScript (which can execute any static method by default) script injection. Version 1.4.1 fixes this vulnerability. Hertzbeat es un sistema de monitorización en tiempo real. En `CalculateAlarm.java`, `AviatorEvaluator` se usa para ejecutar directamente la función de expresión y no se configura ninguna política de seguridad, lo que da como resultado la inyección de script AviatorScript (que puede ejecutar cualquier método estático de forma predeterminada). • https://github.com/dromara/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1d3d2 https://github.com/dromara/hertzbeat/security/advisories/GHSA-mcqg-gqxr-hqgj • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

Hertzbeat is a real-time monitoring system. In the implementation of `JmxCollectImpl.java`, `JMXConnectorFactory.connect` is vulnerable to JNDI injection. The corresponding interface is `/api/monitor/detect`. If there is a URL field, the address will be used by default. When the URL is `service:jmx:rmi:///jndi/rmi://xxxxxxx:1099/localHikari`, it can be exploited to cause remote code execution. • https://github.com/dromara/hertzbeat/commit/f794b0d82be49c596c04a042976446559eb315ef https://github.com/dromara/hertzbeat/security/advisories/GHSA-gcmp-vf6v-59gg • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

Hertzbeat is an open source, real-time monitoring system. Prior to version 1.4.1, Spring Boot permission configuration issues caused unauthorized access vulnerabilities to three interfaces. This could result in disclosure of sensitive server information. Version 1.4.1 fixes this issue. Hertzbeat es un sistema de monitoreo en tiempo real de código abierto. • https://github.com/dromara/hertzbeat/releases/tag/v1.4.1 https://github.com/dromara/hertzbeat/security/advisories/GHSA-rrc5-qpxr-5jm2 • CWE-862: Missing Authorization •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

Hertzbeat is an open source, real-time monitoring system. Hertzbeat uses aviatorscript to evaluate alert expressions. The alert expressions are supposed to be some simple expressions. However, due to improper sanitization for alert expressions in version prior to 1.4.1, a malicious user can use a crafted alert expression to execute any command on hertzbeat server. A malicious user who has access to alert define function can execute any command in hertzbeat instance. • https://github.com/dromara/hertzbeat/blob/6b599495763120ad1df6f4ed4b6713bb4885d8e2/home/blog/2023-09-26-hertzbeat-v1.4.1.md https://github.com/dromara/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1d3d2 https://github.com/dromara/hertzbeat/security/advisories/GHSA-4576-m8px-w9qj • CWE-94: Improper Control of Generation of Code ('Code Injection') •