CVE-2024-42323Deserialization of Untrusted Data in Software Foundation Apache Hertzbeat

CWE-502Deserialization of Untrusted Data3 documents3 sources
Severity
8.8HIGHNVD
EPSS
75.6%
top 1.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache HertzbeatApache Hertzbeat
Timeline
PublishedSep 21

Description

SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating). This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat (incubating): before 1.6.0. Users are recommended to upgrade to version 1.6.0, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDapache/hertzbeat< 1.6.0

🔴Vulnerability Details

2
CVEList
Apache HertzBeat: RCE by snakeYaml deser load malicious xml2024-09-21
GHSA
GHSA-8qj3-h82r-hcwc: SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating)2024-09-21
CVE-2024-42323 — Deserialization of Untrusted Data | cvebase