CVE-2024-42361

Hertzbeat is an open source, real-time monitoring system. Hertzbeat 1.6.0 and earlier declares a /api/monitor/{monitorId}/metric/{metricFull} endpoint to download job metrics. In the process, it executes a SQL query with user-controlled data, allowing for SQL injection.
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:hertzbeat:*:*:*:*:*:*:*:*

History

28 Aug 2024, 13:49

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 9.8
First Time Apache
Apache hertzbeat
CPE cpe:2.3:a:apache:hertzbeat:*:*:*:*:*:*:*:*
References () https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d86b1d476775e14174243b250a8/manager/src/main/java/org/dromara/hertzbeat/manager/controller/MonitorsController.java#L202 - () https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d86b1d476775e14174243b250a8/manager/src/main/java/org/dromara/hertzbeat/manager/controller/MonitorsController.java#L202 - Patch
References () https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d86b1d476775e14174243b250a8/warehouse/src/main/java/org/dromara/hertzbeat/warehouse/store/HistoryTdEngineDataStorage.java#L242 - () https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d86b1d476775e14174243b250a8/warehouse/src/main/java/org/dromara/hertzbeat/warehouse/store/HistoryTdEngineDataStorage.java#L242 - Patch
References () https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d86b1d476775e14174243b250a8/warehouse/src/main/java/org/dromara/hertzbeat/warehouse/store/HistoryTdEngineDataStorage.java#L295 - () https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d86b1d476775e14174243b250a8/warehouse/src/main/java/org/dromara/hertzbeat/warehouse/store/HistoryTdEngineDataStorage.java#L295 - Patch
References () https://securitylab.github.com/advisories/GHSL-2023-254_GHSL-2023-256_HertzBeat/ - () https://securitylab.github.com/advisories/GHSL-2023-254_GHSL-2023-256_HertzBeat/ - Exploit, Third Party Advisory

21 Aug 2024, 12:30

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-20 21:15

Updated : 2024-08-28 13:49


NVD link : CVE-2024-42361

Mitre link : CVE-2024-42361

CVE.ORG link : CVE-2024-42361


JSON object : View

Products Affected

apache

  • hertzbeat
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')