CVE-2023-51653
Published: 22 February 2024
Summary
CVE-2023-51653 is a critical-severity Injection (CWE-74) vulnerability in Apache Hertzbeat. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 11.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Hertzbeat is a real-time monitoring system affected by CVE-2023-51653, a JNDI injection vulnerability in the JMX collection logic implemented in JmxCollectImpl.java. The flaw resides in the handling of JMXConnectorFactory.connect calls exposed through the /api/monitor/detect endpoint; when a URL field is supplied, the provided address is used directly, allowing values such as service:jmx:rmi:///jndi/rmi://xxxxxxx:1099/localHikari to trigger remote code execution. The issue is tracked under CWE-74 and carries a CVSS 3.1 score of 9.8.
An unauthenticated network attacker can exploit the vulnerability by submitting a crafted JMX service URL to the detection interface, resulting in arbitrary code execution on the Hertzbeat server with no required credentials or user interaction.
The associated GitHub security advisory GHSA-gcmp-vf6v-59gg and the referenced commit document that the flaw is resolved in version 1.4.1. The EPSS score remains low, with a modest peak of 0.0594 that has since declined, indicating limited observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-56362
Vulnerability details
Hertzbeat is a real-time monitoring system. In the implementation of `JmxCollectImpl.java`, `JMXConnectorFactory.connect` is vulnerable to JNDI injection. The corresponding interface is `/api/monitor/detect`. If there is a URL field, the address will be used by default. When the URL is `service:jmx:rmi:///jndi/rmi://xxxxxxx:1099/localHikari`,…
more
it can be exploited to cause remote code execution. Version 1.4.1 contains a fix for this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.