Hertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. Version 1.4.1 fixes this vulnerability.
The `/define/yml` endpoint accepts YAML data and passes it to the SnakeYAML parser without applying any security mechanisms, such as restricting allowed types. An attacker can provide a crafted YAML payload containing references to unsafe Java classes, whose initialization during deserialization leads to arbitrary code execution. The vulnerability is accessible over the network without requiring authentication and without user interaction.
An attacker can gain full control over the server, including executing arbitrary system commands, reading or modifying data, and causing service unavailability.
Apache Hertzbeat should be updated to version 1.4.1, which eliminates the vulnerability by applying secure SnakeYAML parser configuration.
Apache Hertzbeat in versions earlier than 1.4.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Hertzbeat
APPApache< 1.4.1
Related vulnerabilities
Apache Hertzbeat — JNDI injection RCE przez endpoint JMX
Apache Hertzbeat — script injection via AviatorEvaluator (RCE)
Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat...
XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. The attack...
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache H...