CVE-2023-51387

Name of the Vulnerable Software and Affected Versions Hertzbeat versions prior to 1.4.1

Description Hertzbeat is an open-source, real-time monitoring system that uses aviatorscript to evaluate alert expressions. Due to improper sanitization for alert expressions, a malicious user can use a crafted alert expression to execute any command on the Hertzbeat server. This issue allows a malicious user with access to the alert define function to execute any command in the Hertzbeat instance.

Recommendations For versions prior to 1.4.1, update to version 1.4.1 to resolve the issue. As a temporary workaround, consider restricting access to the alert define function to minimize the risk of exploitation.