Hertzbeat is a real-time monitoring system. In `CalculateAlarm.java`, `AviatorEvaluator` is used to directly execute the expression function, and no security policy is configured, resulting in AviatorScript (which can execute any static method by default) script injection. Version 1.4.1 fixes this vulnerability.
In the `CalculateAlarm.java` file, the `AviatorEvaluator` component executes expressions passed as input without any security restrictions. The AviatorScript engine by default allows calling arbitrary static Java methods, meaning an attacker can inject a malicious expression and execute arbitrary code at the operating system level. The lack of security policy configuration (sandbox) makes the exploit trivial to perform remotely without authentication.
An attacker can remotely execute arbitrary code on the server (RCE), leading to complete system compromise, data exposure, configuration modification, or complete service availability disruption.
Apache Hertzbeat should be updated to version 1.4.1, which eliminates this vulnerability by implementing proper security policy for AviatorEvaluator. Patch details are available in the vendor references on GitHub.
Apache Hertzbeat in versions prior to 1.4.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Hertzbeat
APPApache< 1.4.1
Related vulnerabilities
Apache Hertzbeat — JNDI injection RCE przez endpoint JMX
Apache Hertzbeat — YAML deserialization w endpoincie /define/yml
Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat...
XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. The attack...
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache H...