tomsun28

CVE-2024-42362 WRITEUP HIGH WRITEUP

Hertzbeat < 1.6.0 - Authenticated Remote Code Execution via Unsafe Deserialization in Monitor Import

Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. This vulnerability is fixed in 1.6.0.

CVSS 8.8

View Code

CVE-2022-39337 WRITEUP HIGH WRITEUP

Hertzbeat < 1.2.1 - Unauthenticated Permission Bypass

Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can be bypassed and invoke interfaces without authorization. Version 1.2.1 contains a patch for this issue.

CVSS 7.5

View Code

CVE-2023-51389 WRITEUP CRITICAL WRITEUP

Hertzbeat < 1.4.1 - Deserialization of Untrusted Data via SnakeYAML Parser

Hertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. Version 1.4.1 fixes this vulnerability.

CVSS 9.8

View Code

CVE-2024-42362 WRITEUP HIGH WRITEUP

Hertzbeat < 1.6.0 - Authenticated Remote Code Execution via Unsafe Deserialization in Monitor Import

Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. This vulnerability is fixed in 1.6.0.

CVSS 8.8

View Code