Search criteria
20 vulnerabilities found for Apache IoTDB by Apache Software Foundation
CVE-2025-48392 (GCVE-0-2025-48392)
Vulnerability from cvelistv5 – Published: 2025-09-24 07:59 – Updated: 2025-11-04 21:11
VLAI?
Summary
A vulnerability in Apache IoTDB.
This issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4.
Users are recommended to upgrade to version 2.0.5, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- DoS Vulnerability
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
1.3.3 , ≤ 1.3.4
(semver)
Affected: 2.0.1-beta , ≤ 2.0.4 (semver) |
Credits
yyjLF
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-48392",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-24T18:47:15.364131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-24T18:47:35.053Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:11:04.278Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/24/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.3.4",
"status": "affected",
"version": "1.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.0.4",
"status": "affected",
"version": "2.0.1-beta",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "yyjLF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in Apache IoTDB.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.5, which fixes the issue.\u003c/p\u003e"
}
],
"value": "A vulnerability in Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4.\n\nUsers are recommended to upgrade to version 2.0.5, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "DoS Vulnerability",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-24T07:59:52.592Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/1rn0637hptglmctf8cqd9425bj4q21td"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB: DoS Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-48392",
"datePublished": "2025-09-24T07:59:52.592Z",
"dateReserved": "2025-05-20T01:52:06.367Z",
"dateUpdated": "2025-11-04T21:11:04.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48459 (GCVE-0-2025-48459)
Vulnerability from cvelistv5 – Published: 2025-09-24 07:57 – Updated: 2025-11-04 21:11
VLAI?
Summary
Deserialization of Untrusted Data vulnerability in Apache IoTDB.
This issue affects Apache IoTDB: from 1.0.0 before 2.0.5.
Users are recommended to upgrade to version 2.0.5, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
1.0.0 , < 2.0.5
(semver)
|
Credits
Sanny
75Acol
stan fang
Wu Jiang
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-48459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-24T18:47:45.575083Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-24T18:48:01.403Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:11:05.598Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/24/8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.5",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sanny"
},
{
"lang": "en",
"type": "finder",
"value": "75Acol"
},
{
"lang": "en",
"type": "finder",
"value": "stan fang"
},
{
"lang": "en",
"type": "finder",
"value": "Wu Jiang"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDeserialization of Untrusted Data vulnerability in Apache IoTDB.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 before 2.0.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.5, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 1.0.0 before 2.0.5.\n\nUsers are recommended to upgrade to version 2.0.5, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-24T07:57:24.444Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/mr84n19nv8d0bmcrfsj3mm5ff5qn4q2f"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB: Deserialization of untrusted Data",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-48459",
"datePublished": "2025-09-24T07:57:24.444Z",
"dateReserved": "2025-05-22T06:25:16.580Z",
"dateUpdated": "2025-11-04T21:11:05.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-26864 (GCVE-0-2025-26864)
Vulnerability from cvelistv5 – Published: 2025-05-14 10:44 – Updated: 2025-05-19 18:41
VLAI?
Summary
Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB.
This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.
Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
0.10.0 , ≤ 1.3.3
(semver)
Affected: 2.0.1-beta , < 2.0.2 (semver) |
Credits
Kyler Katz
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-05-14T11:04:06.072Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/05/14/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-26864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T18:41:20.186388Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T18:41:38.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.3.3",
"status": "affected",
"version": "0.10.0",
"versionType": "semver"
},
{
"lessThan": "2.0.2",
"status": "affected",
"version": "2.0.1-beta",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kyler Katz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eExposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOpenIdAuthorizer of\u003c/span\u003e Apache IoTDB.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.\n\nUsers are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T10:44:12.712Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/2kcjnlypppk8qjh17dpz0jvkcpn6l162"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB: Exposure of Sensitive Information in IoTDB OpenID Authentication",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-26864",
"datePublished": "2025-05-14T10:44:12.712Z",
"dateReserved": "2025-02-17T09:52:26.132Z",
"dateUpdated": "2025-05-19T18:41:38.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24780 (GCVE-0-2024-24780)
Vulnerability from cvelistv5 – Published: 2025-05-14 10:42 – Updated: 2025-05-15 04:01
VLAI?
Summary
Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI.
This issue affects Apache IoTDB: from 1.0.0 before 1.3.4.
Users are recommended to upgrade to version 1.3.4, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- Remote Code Execution with untrusted URI of User-defined function
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
1.0.0 , < 1.3.4
(semver)
|
Credits
Y4 tacker
Nbxiglk
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-05-14T11:03:09.771Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/05/14/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-24780",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T04:01:59.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.3.4",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Y4 tacker"
},
{
"lang": "en",
"type": "finder",
"value": "Nbxiglk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has\u0026nbsp;privilege to create UDF can register malicious function from\u0026nbsp;untrusted URI.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 before 1.3.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.4, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has\u00a0privilege to create UDF can register malicious function from\u00a0untrusted URI.\n\nThis issue affects Apache IoTDB: from 1.0.0 before 1.3.4.\n\nUsers are recommended to upgrade to version 1.3.4, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution with untrusted URI of User-defined function",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T10:42:20.580Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB: Remote Code Execution with untrusted URI of User-defined function",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-24780",
"datePublished": "2025-05-14T10:42:20.580Z",
"dateReserved": "2024-01-30T10:43:03.969Z",
"dateUpdated": "2025-05-15T04:01:59.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46226 (GCVE-0-2023-46226)
Vulnerability from cvelistv5 – Published: 2024-01-15 10:35 – Updated: 2025-06-20 16:51
VLAI?
Summary
Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2.
Users are recommended to upgrade to version 1.3.0, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- Remote code execution
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
1.0.0 , ≤ 1.2.2
(semver)
|
Credits
Glassy of EagleCloud
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:40.189Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/293b4ob65ftnfwyf62fb9zh8gwdy38hg"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/01/15/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-16T19:33:03.388067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-20T16:51:31.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.2.2",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Glassy of EagleCloud"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Remote Code Execution vulnerability in Apache IoTDB.\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 through 1.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2.\n\nUsers are recommended to upgrade to version 1.3.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote code execution",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-15T10:40:05.829Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/293b4ob65ftnfwyf62fb9zh8gwdy38hg"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/01/15/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB: Remote Code Execution (RCE) risk via the UDF",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-46226",
"datePublished": "2024-01-15T10:35:49.810Z",
"dateReserved": "2023-10-19T01:26:14.726Z",
"dateUpdated": "2025-06-20T16:51:31.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51656 (GCVE-0-2023-51656)
Vulnerability from cvelistv5 – Published: 2023-12-21 11:47 – Updated: 2025-02-13 17:19
VLAI?
Summary
Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4.
Users are recommended to upgrade to version 1.2.2, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
0.13.0 , ≤ 0.13.4
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:34.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/zy3klwpv11vl5n65josbfo2fyzxg3dxc"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/21/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.13.4",
"status": "affected",
"version": "0.13.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Apache IoTDB.\u003cp\u003eThis issue affects Apache IoTDB: from 0.13.0 through 0.13.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.2.2, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4.\n\nUsers are recommended to upgrade to version 1.2.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-21T11:50:05.570Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/zy3klwpv11vl5n65josbfo2fyzxg3dxc"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/12/21/5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB: Unsafe deserialize map in Sync Tool",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-51656",
"datePublished": "2023-12-21T11:47:57.912Z",
"dateReserved": "2023-12-21T10:48:18.431Z",
"dateUpdated": "2025-02-13T17:19:46.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-24831 (GCVE-0-2023-24831)
Vulnerability from cvelistv5 – Published: 2023-04-17 06:42 – Updated: 2024-10-21 14:17
VLAI?
Summary
Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3.
Attackers could login without authorization. This is fixed in 0.13.4.
Severity ?
No CVSS data available.
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
0.13.0 , ≤ 0.13.3
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:03:19.260Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/3dgvzgstycf8b5hyf4z3n7cqdhcyln3l"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:iotdb:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "iotdb",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "0.13.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-24831",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T14:14:59.918874Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T14:17:36.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.13.3",
"status": "affected",
"version": "0.13.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.\u003cp\u003eThis issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3.\u003c/p\u003eAttackers could login without authorization. This is fixed in 0.13.4."
}
],
"value": "Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3.\n\nAttackers could login without authorization. This is fixed in 0.13.4."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-17T06:42:06.404Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/3dgvzgstycf8b5hyf4z3n7cqdhcyln3l"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB grafana-connector Login Bypass Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-24831",
"datePublished": "2023-04-17T06:42:06.404Z",
"dateReserved": "2023-01-30T15:53:19.799Z",
"dateUpdated": "2024-10-21T14:17:36.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43766 (GCVE-0-2022-43766)
Vulnerability from cvelistv5 – Published: 2022-10-26 00:00 – Updated: 2025-05-07 13:39
VLAI?
Summary
Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it.
Severity ?
No CVSS data available.
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
unspecified , ≤ 0.13.2
(custom)
Affected: 0.12.2 , < unspecified (custom) |
Credits
This issue was discovered by 4ra1n of Chaitin Tech
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:06.448Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:38:38.720444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T13:39:27.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.13.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.12.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by 4ra1n of Chaitin Tech"
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": " ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-26T00:00:00.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB prior to 0.13.3 allows DoS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-43766",
"datePublished": "2022-10-26T00:00:00.000Z",
"dateReserved": "2022-10-26T00:00:00.000Z",
"dateUpdated": "2025-05-07T13:39:27.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-38370 (GCVE-0-2022-38370)
Vulnerability from cvelistv5 – Published: 2022-09-05 09:50 – Updated: 2024-08-03 10:54
VLAI?
Summary
Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Users should upgrade to version 0.13.1 which addresses this issue.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
0.13.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:54:03.893Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/kcpqgstvgf8sxy9ktxm1836nlwc8xy3j"
},
{
"name": "[oss-security] 20220905 CVE-2022-38370: Apache IoTDB: No authorization of DatabaseConnectController in grafana-connector.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/05/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Users should upgrade to version 0.13.1 which addresses this issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": " ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-05T11:06:09",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/kcpqgstvgf8sxy9ktxm1836nlwc8xy3j"
},
{
"name": "[oss-security] 20220905 CVE-2022-38370: Apache IoTDB: No authorization of DatabaseConnectController in grafana-connector.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/05/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "No authorization of DatabaseConnectController in grafana-connector. ",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-38370",
"STATE": "PUBLIC",
"TITLE": "No authorization of DatabaseConnectController in grafana-connector. "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache IoTDB",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "0.13.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Users should upgrade to version 0.13.1 which addresses this issue."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": " "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/kcpqgstvgf8sxy9ktxm1836nlwc8xy3j",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/kcpqgstvgf8sxy9ktxm1836nlwc8xy3j"
},
{
"name": "[oss-security] 20220905 CVE-2022-38370: Apache IoTDB: No authorization of DatabaseConnectController in grafana-connector.",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/09/05/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-38370",
"datePublished": "2022-09-05T09:50:10",
"dateReserved": "2022-08-16T00:00:00",
"dateUpdated": "2024-08-03T10:54:03.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-38369 (GCVE-0-2022-38369)
Vulnerability from cvelistv5 – Published: 2022-09-05 09:50 – Updated: 2024-08-03 10:54
VLAI?
Summary
Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
0.13.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:54:03.709Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/7nk03ywvx3t3yjbcxzt7zy4nyc89y9b0"
},
{
"name": "[oss-security] 20220905 CVE-2022-38369: Apache IoTDB: Login check vulnerability by session Id",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/05/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": " ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-05T11:06:08",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/7nk03ywvx3t3yjbcxzt7zy4nyc89y9b0"
},
{
"name": "[oss-security] 20220905 CVE-2022-38369: Apache IoTDB: Login check vulnerability by session Id",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/05/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Login check vulnerability by session Id",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-38369",
"STATE": "PUBLIC",
"TITLE": "Login check vulnerability by session Id"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache IoTDB",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "0.13.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": " "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/7nk03ywvx3t3yjbcxzt7zy4nyc89y9b0",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/7nk03ywvx3t3yjbcxzt7zy4nyc89y9b0"
},
{
"name": "[oss-security] 20220905 CVE-2022-38369: Apache IoTDB: Login check vulnerability by session Id",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/09/05/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-38369",
"datePublished": "2022-09-05T09:50:09",
"dateReserved": "2022-08-16T00:00:00",
"dateUpdated": "2024-08-03T10:54:03.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48392 (GCVE-0-2025-48392)
Vulnerability from nvd – Published: 2025-09-24 07:59 – Updated: 2025-11-04 21:11
VLAI?
Summary
A vulnerability in Apache IoTDB.
This issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4.
Users are recommended to upgrade to version 2.0.5, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- DoS Vulnerability
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
1.3.3 , ≤ 1.3.4
(semver)
Affected: 2.0.1-beta , ≤ 2.0.4 (semver) |
Credits
yyjLF
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-48392",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-24T18:47:15.364131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-24T18:47:35.053Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:11:04.278Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/24/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.3.4",
"status": "affected",
"version": "1.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.0.4",
"status": "affected",
"version": "2.0.1-beta",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "yyjLF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in Apache IoTDB.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.5, which fixes the issue.\u003c/p\u003e"
}
],
"value": "A vulnerability in Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4.\n\nUsers are recommended to upgrade to version 2.0.5, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "DoS Vulnerability",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-24T07:59:52.592Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/1rn0637hptglmctf8cqd9425bj4q21td"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB: DoS Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-48392",
"datePublished": "2025-09-24T07:59:52.592Z",
"dateReserved": "2025-05-20T01:52:06.367Z",
"dateUpdated": "2025-11-04T21:11:04.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48459 (GCVE-0-2025-48459)
Vulnerability from nvd – Published: 2025-09-24 07:57 – Updated: 2025-11-04 21:11
VLAI?
Summary
Deserialization of Untrusted Data vulnerability in Apache IoTDB.
This issue affects Apache IoTDB: from 1.0.0 before 2.0.5.
Users are recommended to upgrade to version 2.0.5, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
1.0.0 , < 2.0.5
(semver)
|
Credits
Sanny
75Acol
stan fang
Wu Jiang
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-48459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-24T18:47:45.575083Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-24T18:48:01.403Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:11:05.598Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/24/8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.5",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sanny"
},
{
"lang": "en",
"type": "finder",
"value": "75Acol"
},
{
"lang": "en",
"type": "finder",
"value": "stan fang"
},
{
"lang": "en",
"type": "finder",
"value": "Wu Jiang"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDeserialization of Untrusted Data vulnerability in Apache IoTDB.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 before 2.0.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.5, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 1.0.0 before 2.0.5.\n\nUsers are recommended to upgrade to version 2.0.5, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-24T07:57:24.444Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/mr84n19nv8d0bmcrfsj3mm5ff5qn4q2f"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB: Deserialization of untrusted Data",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-48459",
"datePublished": "2025-09-24T07:57:24.444Z",
"dateReserved": "2025-05-22T06:25:16.580Z",
"dateUpdated": "2025-11-04T21:11:05.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-26864 (GCVE-0-2025-26864)
Vulnerability from nvd – Published: 2025-05-14 10:44 – Updated: 2025-05-19 18:41
VLAI?
Summary
Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB.
This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.
Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
0.10.0 , ≤ 1.3.3
(semver)
Affected: 2.0.1-beta , < 2.0.2 (semver) |
Credits
Kyler Katz
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-05-14T11:04:06.072Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/05/14/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-26864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T18:41:20.186388Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T18:41:38.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.3.3",
"status": "affected",
"version": "0.10.0",
"versionType": "semver"
},
{
"lessThan": "2.0.2",
"status": "affected",
"version": "2.0.1-beta",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kyler Katz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eExposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOpenIdAuthorizer of\u003c/span\u003e Apache IoTDB.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.\n\nUsers are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T10:44:12.712Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/2kcjnlypppk8qjh17dpz0jvkcpn6l162"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB: Exposure of Sensitive Information in IoTDB OpenID Authentication",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-26864",
"datePublished": "2025-05-14T10:44:12.712Z",
"dateReserved": "2025-02-17T09:52:26.132Z",
"dateUpdated": "2025-05-19T18:41:38.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24780 (GCVE-0-2024-24780)
Vulnerability from nvd – Published: 2025-05-14 10:42 – Updated: 2025-05-15 04:01
VLAI?
Summary
Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI.
This issue affects Apache IoTDB: from 1.0.0 before 1.3.4.
Users are recommended to upgrade to version 1.3.4, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- Remote Code Execution with untrusted URI of User-defined function
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
1.0.0 , < 1.3.4
(semver)
|
Credits
Y4 tacker
Nbxiglk
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-05-14T11:03:09.771Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/05/14/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-24780",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T04:01:59.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.3.4",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Y4 tacker"
},
{
"lang": "en",
"type": "finder",
"value": "Nbxiglk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRemote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has\u0026nbsp;privilege to create UDF can register malicious function from\u0026nbsp;untrusted URI.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 before 1.3.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.4, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has\u00a0privilege to create UDF can register malicious function from\u00a0untrusted URI.\n\nThis issue affects Apache IoTDB: from 1.0.0 before 1.3.4.\n\nUsers are recommended to upgrade to version 1.3.4, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution with untrusted URI of User-defined function",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T10:42:20.580Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB: Remote Code Execution with untrusted URI of User-defined function",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-24780",
"datePublished": "2025-05-14T10:42:20.580Z",
"dateReserved": "2024-01-30T10:43:03.969Z",
"dateUpdated": "2025-05-15T04:01:59.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46226 (GCVE-0-2023-46226)
Vulnerability from nvd – Published: 2024-01-15 10:35 – Updated: 2025-06-20 16:51
VLAI?
Summary
Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2.
Users are recommended to upgrade to version 1.3.0, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- Remote code execution
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
1.0.0 , ≤ 1.2.2
(semver)
|
Credits
Glassy of EagleCloud
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:40.189Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/293b4ob65ftnfwyf62fb9zh8gwdy38hg"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/01/15/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-16T19:33:03.388067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-20T16:51:31.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.2.2",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Glassy of EagleCloud"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Remote Code Execution vulnerability in Apache IoTDB.\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 through 1.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2.\n\nUsers are recommended to upgrade to version 1.3.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote code execution",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-15T10:40:05.829Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/293b4ob65ftnfwyf62fb9zh8gwdy38hg"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/01/15/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB: Remote Code Execution (RCE) risk via the UDF",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-46226",
"datePublished": "2024-01-15T10:35:49.810Z",
"dateReserved": "2023-10-19T01:26:14.726Z",
"dateUpdated": "2025-06-20T16:51:31.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51656 (GCVE-0-2023-51656)
Vulnerability from nvd – Published: 2023-12-21 11:47 – Updated: 2025-02-13 17:19
VLAI?
Summary
Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4.
Users are recommended to upgrade to version 1.2.2, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
0.13.0 , ≤ 0.13.4
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:34.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/zy3klwpv11vl5n65josbfo2fyzxg3dxc"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/21/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.13.4",
"status": "affected",
"version": "0.13.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Apache IoTDB.\u003cp\u003eThis issue affects Apache IoTDB: from 0.13.0 through 0.13.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.2.2, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4.\n\nUsers are recommended to upgrade to version 1.2.2, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-21T11:50:05.570Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/zy3klwpv11vl5n65josbfo2fyzxg3dxc"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/12/21/5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB: Unsafe deserialize map in Sync Tool",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-51656",
"datePublished": "2023-12-21T11:47:57.912Z",
"dateReserved": "2023-12-21T10:48:18.431Z",
"dateUpdated": "2025-02-13T17:19:46.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-24831 (GCVE-0-2023-24831)
Vulnerability from nvd – Published: 2023-04-17 06:42 – Updated: 2024-10-21 14:17
VLAI?
Summary
Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3.
Attackers could login without authorization. This is fixed in 0.13.4.
Severity ?
No CVSS data available.
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
0.13.0 , ≤ 0.13.3
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:03:19.260Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/3dgvzgstycf8b5hyf4z3n7cqdhcyln3l"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:iotdb:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "iotdb",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "0.13.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-24831",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T14:14:59.918874Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T14:17:36.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.13.3",
"status": "affected",
"version": "0.13.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.\u003cp\u003eThis issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3.\u003c/p\u003eAttackers could login without authorization. This is fixed in 0.13.4."
}
],
"value": "Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3.\n\nAttackers could login without authorization. This is fixed in 0.13.4."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-17T06:42:06.404Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/3dgvzgstycf8b5hyf4z3n7cqdhcyln3l"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB grafana-connector Login Bypass Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-24831",
"datePublished": "2023-04-17T06:42:06.404Z",
"dateReserved": "2023-01-30T15:53:19.799Z",
"dateUpdated": "2024-10-21T14:17:36.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43766 (GCVE-0-2022-43766)
Vulnerability from nvd – Published: 2022-10-26 00:00 – Updated: 2025-05-07 13:39
VLAI?
Summary
Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it.
Severity ?
No CVSS data available.
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
unspecified , ≤ 0.13.2
(custom)
Affected: 0.12.2 , < unspecified (custom) |
Credits
This issue was discovered by 4ra1n of Chaitin Tech
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:06.448Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:38:38.720444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T13:39:27.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.13.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.12.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by 4ra1n of Chaitin Tech"
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": " ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-26T00:00:00.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB prior to 0.13.3 allows DoS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-43766",
"datePublished": "2022-10-26T00:00:00.000Z",
"dateReserved": "2022-10-26T00:00:00.000Z",
"dateUpdated": "2025-05-07T13:39:27.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-38370 (GCVE-0-2022-38370)
Vulnerability from nvd – Published: 2022-09-05 09:50 – Updated: 2024-08-03 10:54
VLAI?
Summary
Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Users should upgrade to version 0.13.1 which addresses this issue.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
0.13.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:54:03.893Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/kcpqgstvgf8sxy9ktxm1836nlwc8xy3j"
},
{
"name": "[oss-security] 20220905 CVE-2022-38370: Apache IoTDB: No authorization of DatabaseConnectController in grafana-connector.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/05/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Users should upgrade to version 0.13.1 which addresses this issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": " ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-05T11:06:09",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/kcpqgstvgf8sxy9ktxm1836nlwc8xy3j"
},
{
"name": "[oss-security] 20220905 CVE-2022-38370: Apache IoTDB: No authorization of DatabaseConnectController in grafana-connector.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/05/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "No authorization of DatabaseConnectController in grafana-connector. ",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-38370",
"STATE": "PUBLIC",
"TITLE": "No authorization of DatabaseConnectController in grafana-connector. "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache IoTDB",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "0.13.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Users should upgrade to version 0.13.1 which addresses this issue."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": " "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/kcpqgstvgf8sxy9ktxm1836nlwc8xy3j",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/kcpqgstvgf8sxy9ktxm1836nlwc8xy3j"
},
{
"name": "[oss-security] 20220905 CVE-2022-38370: Apache IoTDB: No authorization of DatabaseConnectController in grafana-connector.",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/09/05/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-38370",
"datePublished": "2022-09-05T09:50:10",
"dateReserved": "2022-08-16T00:00:00",
"dateUpdated": "2024-08-03T10:54:03.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-38369 (GCVE-0-2022-38369)
Vulnerability from nvd – Published: 2022-09-05 09:50 – Updated: 2024-08-03 10:54
VLAI?
Summary
Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
0.13.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:54:03.709Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/7nk03ywvx3t3yjbcxzt7zy4nyc89y9b0"
},
{
"name": "[oss-security] 20220905 CVE-2022-38369: Apache IoTDB: Login check vulnerability by session Id",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/05/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": " ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-05T11:06:08",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/7nk03ywvx3t3yjbcxzt7zy4nyc89y9b0"
},
{
"name": "[oss-security] 20220905 CVE-2022-38369: Apache IoTDB: Login check vulnerability by session Id",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/05/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Login check vulnerability by session Id",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-38369",
"STATE": "PUBLIC",
"TITLE": "Login check vulnerability by session Id"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache IoTDB",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "0.13.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": " "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/7nk03ywvx3t3yjbcxzt7zy4nyc89y9b0",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/7nk03ywvx3t3yjbcxzt7zy4nyc89y9b0"
},
{
"name": "[oss-security] 20220905 CVE-2022-38369: Apache IoTDB: Login check vulnerability by session Id",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/09/05/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-38369",
"datePublished": "2022-09-05T09:50:09",
"dateReserved": "2022-08-16T00:00:00",
"dateUpdated": "2024-08-03T10:54:03.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}