← voltar
CVE-2023-51388

HertzBeat AviatorScript Inject RCE

CVSS 9.8 CRITICALEPSS 1.3%CWE-74
Hertzbeat is a real-time monitoring system. In `CalculateAlarm.java`, `AviatorEvaluator` is used to directly execute the expression function, and no security policy is configured, resulting in AviatorScript (which can execute any static method by default) script injection. Version 1.4.1 fixes this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Produtos afetados
dromara · hertzbeat

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/dromara/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1d3d2https://github.com/dromara/hertzbeat/security/advisories/GHSA-mcqg-gqxr-hqgj