Vulnerability Description
Hertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. Version 1.4.1 fixes this vulnerability.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Hertzbeat | < 1.4.1 |
Related Weaknesses (CWE)
References
- https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cPatch
- https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96ExploitVendor Advisory
- https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cPatch
- https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96ExploitVendor Advisory
FAQ
What is CVE-2023-51389?
CVE-2023-51389 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Hertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserializ...
How severe is CVE-2023-51389?
CVE-2023-51389 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-51389?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Hertzbeat.