Apache IoTDB deserializes data from external inputs without sufficient validation, allowing attacker-controlled serialized objects to be processed. In environments where a compatible gadget chain is reachable, this can be abused to execute arbitrary code or alter server state; at minimum it enables high-impact integrity and confidentiality compromise on the IoTDB process.
Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI. This issue affects Apache IoTDB: from 1.0.0 before 1.3.4. Users are recommended to upgrade to version 1.3.4, which fixes the issue.
Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB. This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.
Remote Code Execution vulnerability in Apache IoTDB. This issue affects Apache IoTDB from 1.0.0 through 1.2.2. Users are recommended to upgrade to version 1.3.0, which fixes the issue.
Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB. This issue affects Apache IoTDB Grafana Connector from 0.13.0 through 0.13.3. Attackers could log in without authorization. This is fixed in 0.13.4.
Apache IoTDB versions 0.12.2 through 0.12.6, and 0.13.0 through 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. This issue is patched in 0.13.3. Users should upgrade or use a later version of Java to avoid it.
Apache IoTDB version 0.13.0 is vulnerable to session id attack. Users should upgrade to version 0.13.1 which addresses this issue.