CVE-2023-51389

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-51389

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-51389.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-51389

Aliases

GHSA-rmvr-9p5x-mm96

Published

2024-02-22T15:59:29.842Z

Modified

2025-12-05T00:13:26.485719Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

HertzBeat SnakeYAML Deser RCE

Details

Hertzbeat is a real-time monitoring system. At the interface of /define/yml, SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. Version 1.4.1 fixes this vulnerability.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-502"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/51xxx/CVE-2023-51389.json"
}

References

Affected packages

Git / github.com/apache/hertzbeat

Affected ranges

Type: GIT
Repo: https://github.com/apache/hertzbeat
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

97c3f14446d1c96d1fc993df111684926b6cce17

Database specific

vanir_signatures

[
    {
        "target": {
            "file": "manager/src/main/java/org/dromara/hertzbeat/manager/controller/AppController.java",
            "function": "newAppDefineYml"
        },
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2023-51389-1dab890b",
        "digest": {
            "function_hash": "60880393756831926403336707689209356780",
            "length": 300.0
        },
        "source": "https://github.com/apache/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17"
    },
    {
        "target": {
            "file": "manager/src/main/java/org/dromara/hertzbeat/manager/controller/AppController.java"
        },
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2023-51389-7d13e681",
        "digest": {
            "line_hashes": [
                "52570303794679753412583292302318335895",
                "191557137803662959462240526233604605513",
                "146040424202470765220216409595569237563",
                "69302556828958808487577480082681499698",
                "171136214917092730649836567242026531615",
                "114405915451127368432363386428116200297",
                "163693886593850766923608090039073144037",
                "93928055722754203425517400254607393444",
                "139571565452669111103499365483050086838",
                "153063976820333044408821742602287364662",
                "227268253392932013446537472675129651163"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/apache/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17"
    },
    {
        "target": {
            "file": "manager/src/main/java/org/dromara/hertzbeat/manager/controller/AppController.java",
            "function": "updateAppDefineYml"
        },
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2023-51389-f86aafdf",
        "digest": {
            "function_hash": "71603379668867079006296559385608423201",
            "length": 299.0
        },
        "source": "https://github.com/apache/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17"
    }
]