Vulnerability Description
Hertzbeat is an open source, real-time monitoring system. Hertzbeat uses aviatorscript to evaluate alert expressions. The alert expressions are supposed to be some simple expressions. However, due to improper sanitization for alert expressions in version prior to 1.4.1, a malicious user can use a crafted alert expression to execute any command on hertzbeat server. A malicious user who has access to alert define function can execute any command in hertzbeat instance. This issue is fixed in version 1.4.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Hertzbeat | < 1.4.1 |
Related Weaknesses (CWE)
References
- https://github.com/dromara/hertzbeat/blob/6b599495763120ad1df6f4ed4b6713bb4885d8Release Notes
- https://github.com/dromara/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1Patch
- https://github.com/dromara/hertzbeat/security/advisories/GHSA-4576-m8px-w9qjExploitVendor Advisory
- https://github.com/dromara/hertzbeat/blob/6b599495763120ad1df6f4ed4b6713bb4885d8Release Notes
- https://github.com/dromara/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1Patch
- https://github.com/dromara/hertzbeat/security/advisories/GHSA-4576-m8px-w9qjExploitVendor Advisory
FAQ
What is CVE-2023-51387?
CVE-2023-51387 is a vulnerability with a CVSS score of 7.2 (HIGH). Hertzbeat is an open source, real-time monitoring system. Hertzbeat uses aviatorscript to evaluate alert expressions. The alert expressions are supposed to be some simple expressions. However, due to ...
How severe is CVE-2023-51387?
CVE-2023-51387 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-51387?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Hertzbeat.