CVE-2023-51653

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-51653

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-51653.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-51653

Aliases

GHSA-gcmp-vf6v-59gg

Published

2024-02-22T15:39:49Z

Modified

2025-10-30T19:31:48Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Hertzbeat JMX JNDI RCE

Details

Hertzbeat is a real-time monitoring system. In the implementation of JmxCollectImpl.java, JMXConnectorFactory.connect is vulnerable to JNDI injection. The corresponding interface is /api/monitor/detect. If there is a URL field, the address will be used by default. When the URL is service:jmx:rmi:///jndi/rmi://xxxxxxx:1099/localHikari, it can be exploited to cause remote code execution. Version 1.4.1 contains a fix for this issue.

Database specific

{
    "cwe_ids": [
        "CWE-74"
    ]
}

References

Affected packages

Git / github.com/apache/hertzbeat

Affected ranges

Type: GIT
Repo: https://github.com/apache/hertzbeat
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f794b0d82be49c596c04a042976446559eb315ef

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/apache/hertzbeat/commit/f794b0d82be49c596c04a042976446559eb315ef",
        "target": {
            "file": "manager/src/test/java/org/dromara/hertzbeat/manager/ManagerTest.java"
        },
        "id": "CVE-2023-51653-5b958431",
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "264279008644784699418262652804059537501",
                "120875596640835542397776868398116045597",
                "258285404286298889403575575821793570720",
                "223442173927715700071049849052723039320",
                "241547360121169751654130154391421850187"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "source": "https://github.com/apache/hertzbeat/commit/f794b0d82be49c596c04a042976446559eb315ef",
        "target": {
            "file": "manager/src/main/java/org/dromara/hertzbeat/manager/Manager.java"
        },
        "id": "CVE-2023-51653-940e8114",
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "49489112521453334568809327732723880647",
                "263277418407213638113615125776491577487",
                "228502565011704919551309078278297924678",
                "245678312694703467187201074791054919190",
                "159116424457122217288363013303652569906",
                "319477453200846306053542726919463989972",
                "126038040553103131459172119496479495339"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    }
]