AviatorScript Injection in Hertzbeat's CalculateAlarm.java

AviatorScript Injection in Hertzbeat's CalculateAlarm.java

CVE-2023-51388 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Hertzbeat is a real-time monitoring system. In `CalculateAlarm.java`, `AviatorEvaluator` is used to directly execute the expression function, and no security policy is configured, resulting in AviatorScript (which can execute any static method by default) script injection. Version 1.4.1 fixes this vulnerability.

Learn more about our Web Application Penetration Testing UK.