Home > Vulnerability Database > CVE-2023-51388

Mend.io Vulnerability Database

CVE-2023-51388

Date: February 22, 2024

Hertzbeat is a real-time monitoring system. In "CalculateAlarm.java", "AviatorEvaluator" is used to directly execute the expression function, and no security policy is configured, resulting in AviatorScript (which can execute any static method by default) script injection. Version 1.4.1 fixes this vulnerability.

Language: Java

Severity Score

9.8

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-51388

Url: https://github.com/dromara/hertzbeat/security/advisories/GHSA-mcqg-gqxr-hqgj

Url: https://github.com/dromara/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1d3d2

Url: https://www.mend.io/vulnerability-database/CVE-2023-51388

Severity Score

9.8

Weakness Type (CWE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-51388

Date: February 22, 2024

Language: Java

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?