Hertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. Version 1.4.1 fixes this vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

No data.

No data.

References
Link Resource
https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17
https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-02-22T15:59:29.842Z

Updated: 2024-02-22T15:59:29.842Z

Reserved: 2023-12-18T19:35:29.004Z

Link: CVE-2023-51389

JSON object: View

cve-icon NVD Information

Status : Awaiting Analysis

Published: 2024-02-22T16:15:53.623

Modified: 2024-02-22T19:07:27.197

Link: CVE-2023-51389

JSON object: View

cve-icon Redhat Information

No data.

CWE