VYPR

hertzbeat

by Dromara

CVEs (4)

  • CVE-2024-42361HigAug 20, 2024
    risk 0.49cvss 7.5epss 0.01

    Hertzbeat is an open source, real-time monitoring system. Hertzbeat 1.6.0 and earlier declares a /api/monitor/{monitorId}/metric/{metricFull} endpoint to download job metrics. In the process, it executes a SQL query with user-controlled data, allowing for SQL injection.

  • CVE-2023-51653CriFeb 22, 2024
    risk 0.00cvss 9.8epss 0.02

    Hertzbeat is a real-time monitoring system. In the implementation of `JmxCollectImpl.java`, `JMXConnectorFactory.connect` is vulnerable to JNDI injection. The corresponding interface is `/api/monitor/detect`. If there is a URL field, the address will be used by default. When the…

  • CVE-2023-51388CriFeb 22, 2024
    risk 0.00cvss 9.8epss 0.01

    Hertzbeat is a real-time monitoring system. In `CalculateAlarm.java`, `AviatorEvaluator` is used to directly execute the expression function, and no security policy is configured, resulting in AviatorScript (which can execute any static method by default) script injection.…

  • CVE-2023-51387HigDec 22, 2023
    risk 0.00cvss 7.2epss 0.01

    Hertzbeat is an open source, real-time monitoring system. Hertzbeat uses aviatorscript to evaluate alert expressions. The alert expressions are supposed to be some simple expressions. However, due to improper sanitization for alert expressions in version prior to 1.4.1, a…