CVE-2023-51389

Hertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. Version 1.4.1 fixes this vulnerability.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17	Patch
https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96	Exploit Vendor Advisory
https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17	Patch
https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:hertzbeat:*:*:*:*:*:*:*:*

History

16 Jan 2025, 19:08

Type	Values Removed	Values Added
References	~~() https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17 -~~	() https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17 - Patch
References	~~() https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96 -~~	() https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96 - Exploit, Vendor Advisory
First Time		Apache Apache hertzbeat
CPE		cpe:2.3:a:apache:hertzbeat::::::::

Information

Published : 2024-02-22 16:15

Updated : 2025-01-16 19:08

NVD link : CVE-2023-51389

Mitre link : CVE-2023-51389

CVE.ORG link : CVE-2023-51389

JSON object : View

Products Affected

apache

hertzbeat

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2023-51389", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-02-22T16:15:53.623", "references": [{"url": "https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96", "tags": ["Exploit", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-502"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Hertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. Version 1.4.1 fixes this vulnerability."}, {"lang": "es", "value": "Hertzbeat es un sistema de monitorizaci\u00f3n en tiempo real. En la interfaz de `/define/yml`, SnakeYAML se usa como analizador para analizar el contenido yml, pero no se usa ninguna configuraci\u00f3n de seguridad, lo que genera una vulnerabilidad de deserializaci\u00f3n de YAML. La versi\u00f3n 1.4.1 corrige esta vulnerabilidad."}], "lastModified": "2025-01-16T19:08:36.017", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:hertzbeat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B4E8400-424B-4FCB-81C8-5D559B146130", "versionEndExcluding": "1.4.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}