CVE-2023-51388 Information

Description

Hertzbeat is a real-time monitoring system. In CalculateAlarm.java AviatorEvaluator is used to directly execute the expression function and no security policy is configured resulting in AviatorScript (which can execute any static method by default) script injection. Version 1.4.1 fixes this vulnerability.

Reference

https://github.com/dromara/hertzbeat/security/advisories/GHSA-mcqg-gqxr-hqgj https://github.com/dromara/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1d3d2