CVE-2022-39337 - Vulnerability Details - OpenCVE

Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can be bypassed and invoke interfaces without authorization. Version 1.2.1 contains a patch for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Hertzbeat

Configuration 1 [-]

cpe:2.3:a:apache:hertzbeat:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/dromara/hertzbeat/commit/ac5970c6ceb64fafe237fc895243df5f21e40876
https://github.com/dromara/hertzbeat/issues/377
https://github.com/dromara/hertzbeat/pull/382
https://github.com/dromara/hertzbeat/security/advisories/GHSA-434f-f5cw-3rj6

History

Wed, 28 Aug 2024 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache hertzbeat
CPEs	cpe:2.3:a:dromara:hertzbeat::::::::	cpe:2.3:a:apache:hertzbeat::::::::
Vendors & Products	Dromara Dromara hertzbeat	Apache Apache hertzbeat

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-12-22T15:06:04.941Z

Updated: 2024-08-03T12:00:44.134Z

Reserved: 2022-09-02T14:16:35.876Z

Link: CVE-2022-39337

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-22T15:15:07.810

Modified: 2024-11-21T07:18:03.993

Link: CVE-2022-39337

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-39337", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-09-02T14:16:35.876Z", "datePublished": "2023-12-22T15:06:04.941Z", "dateUpdated": "2024-08-03T12:00:44.134Z"}, "containers": {"cna": {"title": "Permission bypass due to incorrect configuration in github.com/dromara/hertzbeat", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dromara/hertzbeat/security/advisories/GHSA-434f-f5cw-3rj6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dromara/hertzbeat/security/advisories/GHSA-434f-f5cw-3rj6"}, {"name": "https://github.com/dromara/hertzbeat/issues/377", "tags": ["x_refsource_MISC"], "url": "https://github.com/dromara/hertzbeat/issues/377"}, {"name": "https://github.com/dromara/hertzbeat/pull/382", "tags": ["x_refsource_MISC"], "url": "https://github.com/dromara/hertzbeat/pull/382"}, {"name": "https://github.com/dromara/hertzbeat/commit/ac5970c6ceb64fafe237fc895243df5f21e40876", "tags": ["x_refsource_MISC"], "url": "https://github.com/dromara/hertzbeat/commit/ac5970c6ceb64fafe237fc895243df5f21e40876"}], "affected": [{"vendor": "dromara", "product": "hertzbeat", "versions": [{"version": "<= 1.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-22T15:06:04.941Z"}, "descriptions": [{"lang": "en", "value": "Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can be bypassed and invoke interfaces without authorization. Version 1.2.1 contains a patch for this issue."}], "source": {"advisory": "GHSA-434f-f5cw-3rj6", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:44.134Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/dromara/hertzbeat/security/advisories/GHSA-434f-f5cw-3rj6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dromara/hertzbeat/security/advisories/GHSA-434f-f5cw-3rj6"}, {"name": "https://github.com/dromara/hertzbeat/issues/377", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dromara/hertzbeat/issues/377"}, {"name": "https://github.com/dromara/hertzbeat/pull/382", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dromara/hertzbeat/pull/382"}, {"name": "https://github.com/dromara/hertzbeat/commit/ac5970c6ceb64fafe237fc895243df5f21e40876", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dromara/hertzbeat/commit/ac5970c6ceb64fafe237fc895243df5f21e40876"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:hertzbeat:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC2FBA0A-B433-4E27-BB3A-2D5B2B2C33B5", "versionEndExcluding": "1.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can be bypassed and invoke interfaces without authorization. Version 1.2.1 contains a patch for this issue."}, {"lang": "es", "value": "Hertzbeat es un sistema de monitoreo en tiempo real de c\u00f3digo abierto con monitoreo personalizado, cl\u00faster de alto rendimiento, similar a Prometheus y sin agentes. Las versiones 1.20 y anteriores de Hertzbeat tienen una vulnerabilidad de omisi\u00f3n de permisos. La autenticaci\u00f3n del sistema se puede omitir e invocar interfaces sin autorizaci\u00f3n. La versi\u00f3n 1.2.1 contiene un parche para este problema."}], "id": "CVE-2022-39337", "lastModified": "2024-11-21T07:18:03.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-22T15:15:07.810", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dromara/hertzbeat/commit/ac5970c6ceb64fafe237fc895243df5f21e40876"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/dromara/hertzbeat/issues/377"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/dromara/hertzbeat/pull/382"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/dromara/hertzbeat/security/advisories/GHSA-434f-f5cw-3rj6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/dromara/hertzbeat/commit/ac5970c6ceb64fafe237fc895243df5f21e40876"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/dromara/hertzbeat/issues/377"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/dromara/hertzbeat/pull/382"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/dromara/hertzbeat/security/advisories/GHSA-434f-f5cw-3rj6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}