CRITICAL🇵🇱 Wersja polska

CVE-2023-51388

CVSS 9.8v3.1pub. 2024-02-22upd. 2025-01-16

Hertzbeat is a real-time monitoring system. In `CalculateAlarm.java`, `AviatorEvaluator` is used to directly execute the expression function, and no security policy is configured, resulting in AviatorScript (which can execute any static method by default) script injection. Version 1.4.1 fixes this vulnerability.

🤖 AI Analysis
How it works

In the `CalculateAlarm.java` file, the `AviatorEvaluator` component executes expressions passed as input without any security restrictions. The AviatorScript engine by default allows calling arbitrary static Java methods, meaning an attacker can inject a malicious expression and execute arbitrary code at the operating system level. The lack of security policy configuration (sandbox) makes the exploit trivial to perform remotely without authentication.

Impact

An attacker can remotely execute arbitrary code on the server (RCE), leading to complete system compromise, data exposure, configuration modification, or complete service availability disruption.

Mitigation & patch

Apache Hertzbeat should be updated to version 1.4.1, which eliminates this vulnerability by implementing proper security policy for AviatorEvaluator. Patch details are available in the vendor references on GitHub.

Who is affected

Apache Hertzbeat in versions prior to 1.4.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Hertzbeat

    APP
    Apache
    < 1.4.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-51653CRITICAL9.8PL ✓ten sam produkt

Apache Hertzbeat — JNDI injection RCE przez endpoint JMX

CVE-2023-51389CRITICAL9.8PL ✓ten sam produkt

Apache Hertzbeat — YAML deserialization w endpoincie /define/yml

CVE-2026-24343HIGH8.8ten sam produkt

Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat...

CVE-2025-24404HIGH8.8ten sam produkt

XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. The attack...

CVE-2025-48208HIGH8.8ten sam produkt

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache H...