CVE-2022-39337 - OpenCVE

Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can be bypassed and invoke interfaces without authorization. Version 1.2.1 contains a patch for this issue.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Dromara	Hertzbeat

Configuration 1 [-]

cpe:2.3:a:dromara:hertzbeat:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/dromara/hertzbeat/commit/ac5970c6ceb64fafe237fc895243df5f21e40876	Patch
https://github.com/dromara/hertzbeat/issues/377	Exploit Issue Tracking
https://github.com/dromara/hertzbeat/pull/382	Issue Tracking Patch
https://github.com/dromara/hertzbeat/security/advisories/GHSA-434f-f5cw-3rj6	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-12-22T15:06:04.941Z

Updated: 2023-12-22T15:06:04.941Z

Reserved: 2022-09-02T14:16:35.876Z

Link: CVE-2022-39337

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-12-22T15:15:07.810

Modified: 2024-01-02T20:27:42.740

Link: CVE-2022-39337

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-39337", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-09-02T14:16:35.876Z", "datePublished": "2023-12-22T15:06:04.941Z", "dateUpdated": "2023-12-22T15:06:04.941Z"}, "containers": {"cna": {"title": "Permission bypass due to incorrect configuration in github.com/dromara/hertzbeat", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dromara/hertzbeat/security/advisories/GHSA-434f-f5cw-3rj6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dromara/hertzbeat/security/advisories/GHSA-434f-f5cw-3rj6"}, {"name": "https://github.com/dromara/hertzbeat/issues/377", "tags": ["x_refsource_MISC"], "url": "https://github.com/dromara/hertzbeat/issues/377"}, {"name": "https://github.com/dromara/hertzbeat/pull/382", "tags": ["x_refsource_MISC"], "url": "https://github.com/dromara/hertzbeat/pull/382"}, {"name": "https://github.com/dromara/hertzbeat/commit/ac5970c6ceb64fafe237fc895243df5f21e40876", "tags": ["x_refsource_MISC"], "url": "https://github.com/dromara/hertzbeat/commit/ac5970c6ceb64fafe237fc895243df5f21e40876"}], "affected": [{"vendor": "dromara", "product": "hertzbeat", "versions": [{"version": "<= 1.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-22T15:06:04.941Z"}, "descriptions": [{"lang": "en", "value": "Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can be bypassed and invoke interfaces without authorization. Version 1.2.1 contains a patch for this issue."}], "source": {"advisory": "GHSA-434f-f5cw-3rj6", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dromara:hertzbeat:*:*:*:*:*:*:*:*", "matchCriteriaId": "F5CD6894-0209-4517-8CB3-C7BF223661DC", "versionEndExcluding": "1.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can be bypassed and invoke interfaces without authorization. Version 1.2.1 contains a patch for this issue."}, {"lang": "es", "value": "Hertzbeat es un sistema de monitoreo en tiempo real de c\u00f3digo abierto con monitoreo personalizado, cl\u00faster de alto rendimiento, similar a Prometheus y sin agentes. Las versiones 1.20 y anteriores de Hertzbeat tienen una vulnerabilidad de omisi\u00f3n de permisos. La autenticaci\u00f3n del sistema se puede omitir e invocar interfaces sin autorizaci\u00f3n. La versi\u00f3n 1.2.1 contiene un parche para este problema."}], "id": "CVE-2022-39337", "lastModified": "2024-01-02T20:27:42.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-12-22T15:15:07.810", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dromara/hertzbeat/commit/ac5970c6ceb64fafe237fc895243df5f21e40876"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/dromara/hertzbeat/issues/377"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/dromara/hertzbeat/pull/382"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/dromara/hertzbeat/security/advisories/GHSA-434f-f5cw-3rj6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}