CVE-2023-51389

Exploit

EPSS 0.49%
Published 22.02.2024 16:15:53
Last modified 16.01.2025 19:08:36
Source security-advisories@github.com
Teams watchlist Login
Open Login

Hertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. Version 1.4.1 fixes this vulnerability.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Hertzbeat Version < 1.4.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.49%	0.644

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17

Patch

https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-51389

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-51389

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-51389

EUVD