CVE-2023-51389

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

H

ertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. Version 1.4.1 fixes this vulnerability.

References

Link	Resource
https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17	Patch
https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96	Exploit Vendor Advisory
https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17	Patch
https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:hertzbeat:*:*:*:*:*:*:*:*

History

16 Jan 2025, 19:08

Type	Values Removed	Values Added
First Time		Apache Apache hertzbeat
CPE		cpe:2.3:a:apache:hertzbeat::::::::
References	~~() https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17 -~~	() https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17 - Patch
References	~~() https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96 -~~	() https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96 - Exploit, Vendor Advisory

21 Nov 2024, 08:38

Type	Values Removed	Values Added
References	~~() https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17 -~~	() https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17 -
References	~~() https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96 -~~	() https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96 -

Information

Published : 2024-02-22 16:15

Updated : 2025-01-16 19:08

NVD link : CVE-2023-51389

Mitre link : CVE-2023-51389

CVE.ORG link : CVE-2023-51389

JSON object : View

Products Affected

hertzbeat

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2023-51389", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-02-22T16:15:53.623", "references": [{"url": "https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96", "tags": ["Exploit", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-502"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Hertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. Version 1.4.1 fixes this vulnerability."}, {"lang": "es", "value": "Hertzbeat es un sistema de monitorizaci\u00f3n en tiempo real. En la interfaz de `/define/yml`, SnakeYAML se usa como analizador para analizar el contenido yml, pero no se usa ninguna configuraci\u00f3n de seguridad, lo que genera una vulnerabilidad de deserializaci\u00f3n de YAML. La versi\u00f3n 1.4.1 corrige esta vulnerabilidad."}], "lastModified": "2025-01-16T19:08:36.017", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:hertzbeat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B4E8400-424B-4FCB-81C8-5D559B146130", "versionEndExcluding": "1.4.1"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}