Apache

Hertzbeat

15 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.8

CVE-2025-48208

  • EPSS 0.05%
  • Published 09.09.2025 09:31:35
  • Last modified 10.09.2025 15:54:50

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache HertzBeat . The attacker needs to have an authenticated account with access, and the attack can only be triggered by crafting cus...

8.8

CVE-2025-24404

  • EPSS 0.06%
  • Published 09.09.2025 09:30:59
  • Last modified 10.09.2025 15:53:00

XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XML parsing v...

6.5

CVE-2024-56736

  • EPSS 0.07%
  • Published 16.04.2025 15:38:11
  • Last modified 23.04.2025 19:13:22

Server-Side Request Forgery (SSRF) vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat (incubating): before 1.7.0. Users are recommended to upgrade to version 1.7.0, which fixes the issue.

8.8

CVE-2024-41151

  • EPSS 0.68%
  • Published 18.11.2024 09:15:05
  • Last modified 24.06.2025 16:29:09

Deserialization of Untrusted Data vulnerability in Apache HertzBeat. This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat: before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fix...

8.8

CVE-2024-45505

  • EPSS 2.36%
  • Published 18.11.2024 09:15:05
  • Last modified 24.06.2025 16:23:59

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (incubating). This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat (incubating): b...

7.5

CVE-2024-45791

  • EPSS 0.32%
  • Published 18.11.2024 09:15:05
  • Last modified 24.06.2025 16:22:41

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat: before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue.

8.8

CVE-2024-42323

  • EPSS 64.44%
  • Published 21.09.2024 10:15:06
  • Last modified 01.07.2025 20:27:42

SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating).  This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat (incubating): before 1.6.0. Users are recommended to upgra...

9.8

CVE-2024-42361

Exploit
  • EPSS 0.18%
  • Published 20.08.2024 21:15:14
  • Last modified 28.08.2024 13:49:50

Hertzbeat is an open source, real-time monitoring system. Hertzbeat 1.6.0 and earlier declares a /api/monitor/{monitorId}/metric/{metricFull} endpoint to download job metrics. In the process, it executes a SQL query with user-controlled data, allowin...

8.8

CVE-2024-42362

Exploit
  • EPSS 0.35%
  • Published 20.08.2024 21:15:14
  • Last modified 28.08.2024 13:49:47

Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. This vulnerability is fixed in 1.6.0.

9.8

CVE-2023-51388

Exploit
  • EPSS 0.78%
  • Published 22.02.2024 16:15:53
  • Last modified 16.01.2025 19:11:41

Hertzbeat is a real-time monitoring system. In `CalculateAlarm.java`, `AviatorEvaluator` is used to directly execute the expression function, and no security policy is configured, resulting in AviatorScript (which can execute any static method by def...