Vulnerabilities > CVE-2022-39337 - Incorrect Authorization vulnerability in Apache Hertzbeat

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

apache

CWE-863

NVD

Published: 2023-12-22

Updated: 2024-08-28

Summary

Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can be bypassed and invoke interfaces without authorization. Version 1.2.1 contains a patch for this issue.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Hertzbeat - Apache Hertzbeat 1.0 Apache Hertzbeat 1.1.0 Apache Hertzbeat 1.1.1 Apache Hertzbeat 1.1.2 Apache Hertzbeat 1.1.3 Apache Hertzbeat 1.2.0	15

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

References

https://github.com/dromara/hertzbeat/security/advisories/GHSA-434f-f5cw-3rj6
https://github.com/dromara/hertzbeat/issues/377
https://github.com/dromara/hertzbeat/pull/382
https://github.com/dromara/hertzbeat/commit/ac5970c6ceb64fafe237fc895243df5f21e40876