CVE-2023-51388
- Source
- https://cve.org/CVERecord?id=CVE-2023-51388
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-51388.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-51388
- Aliases
-
- GHSA-mcqg-gqxr-hqgj
- Published
- 2024-02-22T15:53:46.458Z
- Modified
- 2025-11-29T15:10:05.419062Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- HertzBeat AviatorScript Inject RCE
- Details
-
Hertzbeat is a real-time monitoring system. In
CalculateAlarm.java,AviatorEvaluatoris used to directly execute the expression function, and no security policy is configured, resulting in AviatorScript (which can execute any static method by default) script injection. Version 1.4.1 fixes this vulnerability. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/51xxx/CVE-2023-51388.json", "cwe_ids": [ "CWE-74" ], "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/apache/hertzbeat
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/hertzbeat
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"source": "https://github.com/apache/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1d3d2",
"target": {
"file": "common/src/test/java/org/dromara/hertzbeat/common/config/AviatorConfigurationTest.java"
},
"id": "CVE-2023-51388-11378682",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"274775634421276378436326844491850087155",
"128393106103258956987014331142665941882",
"3432327775432734745529021815806477575",
"102967356149164166109685571045507810064"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"source": "https://github.com/apache/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1d3d2",
"target": {
"file": "common/src/main/java/org/dromara/hertzbeat/common/config/AviatorConfiguration.java"
},
"id": "CVE-2023-51388-34ccf40b",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"74708616442641397348423916365962824082",
"77096554783898034189241389006509026379",
"9735618267274334251772998096512522863",
"312878533461543084548085465714826384563",
"70717211903190448744977739483752820958",
"302177120682052617560229298450366854353",
"58717572691508086259303641244349212999",
"328940450055653003194989771905427156507",
"179449344807575227043281210427035794002",
"272455907041846220979147902236925902041",
"199183973939738630114866595826804051251",
"274472597282784781626149211244042460510",
"137463512803590457496429705538433839916",
"108902009683142407908436038768132257668",
"268054759885468681381021315422413284125",
"223585108349330856241056143378929791157"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"source": "https://github.com/apache/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1d3d2",
"target": {
"file": "common/src/main/java/org/dromara/hertzbeat/common/config/AviatorConfiguration.java",
"function": "configAviatorEvaluator"
},
"id": "CVE-2023-51388-f553703a",
"signature_version": "v1",
"digest": {
"function_hash": "48332701360318354387238206730059399375",
"length": 1072.0
},
"deprecated": false
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-51388.json"