CVE-2023-51388

Name of the Vulnerable Software and Affected Versions Hertzbeat versions prior to 1.4.1

Description Hertzbeat is a real-time monitoring system. In CalculateAlarm.java, AviatorEvaluator is used to directly execute the expression function, and no security policy is configured, resulting in AviatorScript script injection. This allows the execution of any static method by default.

Recommendations For versions prior to 1.4.1, update to version 1.4.1 to fix the vulnerability. As a temporary workaround, consider disabling the AviatorEvaluator function until a patch is available. Restrict access to the CalculateAlarm.java module to minimize the risk of exploitation. Avoid using the AviatorEvaluator in the affected API endpoints until the issue is resolved.