Dromara Hertzbeat up to 1.4.0 authorization

Summaryinfo

A vulnerability categorized as problematic has been discovered in Dromara Hertzbeat up to 1.4.0. This vulnerability affects unknown code. Such manipulation leads to authorization. This vulnerability is referenced as CVE-2023-51650. It is possible to launch the attack remotely. No exploit is available. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability was found in Dromara Hertzbeat up to 1.4.0 and classified as problematic. Affected by this issue is an unknown functionality. The manipulation with an unknown input leads to a authorization vulnerability. Using CWE to declare the problem leads to CWE-862. The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Impacted is confidentiality. CVE summarizes:

Hertzbeat is an open source, real-time monitoring system. Prior to version 1.4.1, Spring Boot permission configuration issues caused unauthorized access vulnerabilities to three interfaces. This could result in disclosure of sensitive server information. Version 1.4.1 fixes this issue.

The weakness was published 12/23/2023 as GHSA-rrc5-qpxr-5jm2. The advisory is shared for download at github.com. This vulnerability is handled as CVE-2023-51650 since 12/20/2023. There are neither technical details nor an exploit publicly available.

Upgrading to version 1.4.1 eliminates this vulnerability. The upgrade is hosted for download at github.com.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• Dromara

Name

• Hertzbeat

Version

• 1.0
• 1.1
• 1.2
• 1.3
• 1.4.0

Website

• Product: https://github.com/dromara/hertzbeat/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion