{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-28T17:32:41.348","vulnerabilities":[{"cve":{"id":"CVE-2023-51388","sourceIdentifier":"security-advisories@github.com","published":"2024-02-22T16:15:53.413","lastModified":"2025-01-16T19:11:41.830","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Hertzbeat is a real-time monitoring system. In `CalculateAlarm.java`, `AviatorEvaluator` is used to directly execute the expression function, and no security policy is configured, resulting in AviatorScript (which can execute any static method by default) script injection. Version 1.4.1 fixes this vulnerability."},{"lang":"es","value":"Hertzbeat es un sistema de monitorización en tiempo real. En `CalculateAlarm.java`, `AviatorEvaluator` se usa para ejecutar directamente la función de expresión y no se configura ninguna política de seguridad, lo que da como resultado la inyección de script AviatorScript (que puede ejecutar cualquier método estático de forma predeterminada). La versión 1.4.1 corrige esta vulnerabilidad."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-74"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-74"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:hertzbeat:*:*:*:*:*:*:*:*","versionEndExcluding":"1.4.1","matchCriteriaId":"0B4E8400-424B-4FCB-81C8-5D559B146130"}]}]}],"references":[{"url":"https://github.com/dromara/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1d3d2","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/dromara/hertzbeat/security/advisories/GHSA-mcqg-gqxr-hqgj","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/dromara/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1d3d2","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/dromara/hertzbeat/security/advisories/GHSA-mcqg-gqxr-hqgj","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Vendor Advisory"]}]}}]}