Skip to main content

Hertzbeat CVE-2023-51387

HIGH
Code Injection (CWE-94)
2023-12-22 security-advisories@github.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Dec 22, 2023 - 21:15 nvd
HIGH 8.8

DescriptionNVD

Hertzbeat is an open source, real-time monitoring system. Hertzbeat uses aviatorscript to evaluate alert expressions. The alert expressions are supposed to be some simple expressions. However, due to improper sanitization for alert expressions in version prior to 1.4.1, a malicious user can use a crafted alert expression to execute any command on hertzbeat server. A malicious user who has access to alert define function can execute any command in hertzbeat instance. This issue is fixed in version 1.4.1.

AnalysisAI

Hertzbeat is an open source, real-time monitoring system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. Hertzbeat is an open source, real-time monitoring system. Hertzbeat uses aviatorscript to evaluate alert expressions. The alert expressions are supposed to be some simple expressions. However, due to improper sanitization for alert expressions in version prior to 1.4.1, a malicious user can use a crafted alert expression to execute any command on hertzbeat server. A malicious user who has access to alert define function can execute any command in hertzbeat instance. This issue is fixed in version 1.4.1. Affected products include: Apache Hertzbeat. Version information: prior to 1.4.1.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.

CVE-2024-42361 CRITICAL POC
9.8 Aug 20

Hertzbeat is an open source, real-time monitoring system. Rated critical severity (CVSS 9.8), this vulnerability is remo

CVE-2024-42362 HIGH POC
8.8 Aug 20

Hertzbeat is an open source, real-time monitoring system. Rated high severity (CVSS 8.8), this vulnerability is remotely

CVE-2023-51650 HIGH POC
7.5 Dec 22

Hertzbeat is an open source, real-time monitoring system. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2026-24343 HIGH
8.8 Feb 10

Apache HertzBeat versions 1.7.1 through 1.8.0 contain an XPath injection vulnerability that allows authenticated attacke

CVE-2024-45505 HIGH
8.8 Nov 18

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (i

CVE-2024-41151 HIGH
8.8 Nov 18

Deserialization of Untrusted Data vulnerability in Apache HertzBeat. Rated high severity (CVSS 8.8), this vulnerability

CVE-2024-42323 HIGH
8.8 Sep 21

SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating). Rated high severity (CVSS 8.8), t

CVE-2024-45791 HIGH
7.5 Nov 18

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat.6.1. Rated high severity (C

CVE-2024-56736 MEDIUM
6.5 Apr 16

Server-Side Request Forgery (SSRF) vulnerability in Apache HertzBeat.7.0. Rated medium severity (CVSS 6.5), this vulnera

CVE-2025-48208 HIGH
8.8 Sep 09

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache HertzBeat .

CVE-2025-24404 HIGH
8.8 Sep 09

XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. Rated high severity (CVSS 8.8),

Share

CVE-2023-51387 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy