CVE-2024-42361

Name of the Vulnerable Software and Affected Versions Hertzbeat versions 1.6.0 and earlier

Description Hertzbeat is an open source, real-time monitoring system. It declares an endpoint /api/monitor/{monitorId}/metric/{metricFull} to download job metrics. In the process, it executes a SQL query with user-controlled data, allowing for SQL injection. The monitorId and metricFull variables are used in this endpoint.

Recommendations For Hertzbeat versions 1.6.0 and earlier, as a temporary workaround, consider restricting access to the /api/monitor/{monitorId}/metric/{metricFull} endpoint until a patch is available. Avoid using user-controlled data in SQL queries to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.