CVE-2024-42361

CVSS V2 None CVSS V3 None

Description

Hertzbeat is an open source, real-time monitoring system. Hertzbeat 1.6.0 and earlier declares a /api/monitor/{monitorId}/metric/{metricFull} endpoint to download job metrics. In the process, it executes a SQL query with user-controlled data, allowing for SQL injection.

Overview

CVE ID
CVE-2024-42361

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-08-20T20:56:20.155Z

Last Modified Date
2024-08-20T20:56:20.155Z

Weakness Enumerations

CWE	URL
CWE-89	http://cwe.mitre.org/data/definitions/89.html

References

Reference URL	Reference Tags
https://securitylab.github.com/advisories/GHSL-2023-254_GHSL-2023-256_HertzBeat/	x_refsource_CONFIRM
https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d86b1d476775e14174243b250a8/manager/src/main/java/org/dromara/hertzbeat/manager/controller/MonitorsController.java#L202	x_refsource_MISC
https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d86b1d476775e14174243b250a8/warehouse/src/main/java/org/dromara/hertzbeat/warehouse/store/HistoryTdEngineDataStorage.java#L242	x_refsource_MISC
https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d86b1d476775e14174243b250a8/warehouse/src/main/java/org/dromara/hertzbeat/warehouse/store/HistoryTdEngineDataStorage.java#L295	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-42361
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42361

History

Created	Old Value	New Value	Data Type	Notes
2024-08-21 13:10:37				Added to TrackCVE