Apache: >> Hertzbeat >> 1.1.1 Security Vulnerabilities
XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat.
The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XML parsing vulnerability.
This issue affects Apache HertzBeat (incubating): before 1.7.0.
Users are recommended to upgrade to version 1.7.0, which fixes the issue.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-09-09
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache HertzBeat .
The attacker needs to have an authenticated account with access, and the attack can only be triggered by crafting custom commands. A successful attack would result in arbitrary script execution.
This issue affects Apache HertzBeat: through 1.7.2.
Users are recommended to upgrade to version [1.7.3], which fixes the issue.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-09-09
Server-Side Request Forgery (SSRF) vulnerability in Apache HertzBeat.
This issue affects Apache HertzBeat (incubating): before 1.7.0.
Users are recommended to upgrade to version 1.7.0, which fixes the issue.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-04-16
Deserialization of Untrusted Data vulnerability in Apache HertzBeat.
This vulnerability can only be exploited by authorized attackers.
This issue affects Apache HertzBeat: before 1.6.1.
Users are recommended to upgrade to version 1.6.1, which fixes the issue.
CVSS Score
8.8
EPSS Score
0.007
Published
2024-11-18
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (incubating).
This vulnerability can only be exploited by authorized attackers.
This issue affects Apache HertzBeat (incubating): before 1.6.1.
Users are recommended to upgrade to version 1.6.1, which fixes the issue.
CVSS Score
8.8
EPSS Score
0.024
Published
2024-11-18
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat.
This issue affects Apache HertzBeat: before 1.6.1.
Users are recommended to upgrade to version 1.6.1, which fixes the issue.
CVSS Score
7.5
EPSS Score
0.003
Published
2024-11-18
SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating).
This vulnerability can only be exploited by authorized attackers.
This issue affects Apache HertzBeat (incubating): before 1.6.0.
Users are recommended to upgrade to version 1.6.0, which fixes the issue.
CVSS Score
8.8
EPSS Score
0.644
Published
2024-09-21
Hertzbeat is an open source, real-time monitoring system. Hertzbeat 1.6.0 and earlier declares a /api/monitor/{monitorId}/metric/{metricFull} endpoint to download job metrics. In the process, it executes a SQL query with user-controlled data, allowing for SQL injection.
CVSS Score
7.5
EPSS Score
0.005
Published
2024-08-20
Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. This vulnerability is fixed in 1.6.0.
CVSS Score
8.8
EPSS Score
0.003
Published
2024-08-20
Hertzbeat is a real-time monitoring system. In `CalculateAlarm.java`, `AviatorEvaluator` is used to directly execute the expression function, and no security policy is configured, resulting in AviatorScript (which can execute any static method by default) script injection. Version 1.4.1 fixes this vulnerability.
CVSS Score
9.8
EPSS Score
0.008
Published
2024-02-22
Page 1