GHSL-2023-256: HertzBeat Authenticated (guest role) SQL injection in /api/monitor/{monitorId}/metric/{metricFull}
CVE-2024-42361

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Hertzbeat
Vendor: CVE Published:; 20 August 2024

What is CVE-2024-42361?

Hertzbeat, an open-source real-time monitoring system, is susceptible to a SQL injection vulnerability in its API. The flaw exists in versions 1.6.0 and earlier, specifically within the /api/monitor/{monitorId}/metric/{metricFull} endpoint. This endpoint allows users to download job metrics and executes a SQL query using data from user inputs without sufficient validation. Consequently, attackers can manipulate the input parameters, potentially compromising the integrity and confidentiality of the database. Proper security measures should be applied to validate and sanitize all user inputs to mitigate the risk associated with this vulnerability.

Affected Version(s)

HertzBeat <= 1.6.0

References

https://securitylab.github.com/advisories/GHSL-2023-254_G...

x_refsource_CONFIRM

https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d8...

x_refsource_MISC

https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d8...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2024

Apache

What is CVE-2024-42361?

Affected Version(s)

References

CVSS V3.1

Timeline