CVE-2022-39337 HIGH

CVE-2022-39337: Permission bypass due to incorrect configuration in github.com/dromara/hertzbeat

Vendor Dromara
Product hertzbeat
Weakness CWE-284
Published December 22, 2023
Last update August 3, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can be bypassed and invoke interfaces without authorization. Version 1.2.1 contains a patch for this issue.

Key dates

02Disclosure timeline

December 22, 2023 CVE published
August 3, 2024 Record updated