Search

Find a vulnerability

Search criteria

    41 vulnerabilities found for IoTDB by Apache

    CVE-2026-24014 (GCVE-0-2026-24014)

    Vulnerability from nvd – Published: 2026-07-06 08:34 – Updated: 2026-07-06 20:37
    VLAI
    Title
    Apache IoTDB: Path Traversal in DataNode Internal RPC Trigger JAR Upload Allows Arbitrary File Write
    Summary
    Apache IoTDB DataNode’s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name to write files outside the intended Trigger installation directory. This could allow arbitrary file write with the permissions of the IoTDB process. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.3.3 , < 2.0.8 (semver)
    Create a notification for this product.
    Credits
    Yan Nan (Detecon Security Lab).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24014",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T19:08:49.734562Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T19:09:10.935Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-07-06T20:37:58.998Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/07/06/12"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.0.8",
                  "status": "affected",
                  "version": "1.3.3",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yan Nan (Detecon Security Lab)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eApache IoTDB DataNode\u2019s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name to write files outside the intended Trigger installation directory. This could allow arbitrary file write with the permissions of the IoTDB process.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.8, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Apache IoTDB DataNode\u2019s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name to write files outside the intended Trigger installation directory. This could allow arbitrary file write with the permissions of the IoTDB process.\n\nThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\n\nUsers are recommended to upgrade to version 2.0.8, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T08:34:26.447Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/38298f803gb5j9nlhf0l9zkf34o90h3m"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Path Traversal in DataNode Internal RPC Trigger JAR Upload Allows Arbitrary File Write",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-24014",
        "datePublished": "2026-07-06T08:34:26.447Z",
        "dateReserved": "2026-01-20T03:04:59.061Z",
        "dateUpdated": "2026-07-06T20:37:58.998Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24013 (GCVE-0-2026-24013)

    Vulnerability from nvd – Published: 2026-07-06 08:38 – Updated: 2026-07-06 20:37
    VLAI
    Title
    Apache IoTDB: Authentication Bypass via Forged SessionID in Thrift RPC
    Summary
    Authentication Bypass by Spoofing vulnerability in Apache IoTDB. Certain Thrift RPC query handlers lack strict validation of the sessionId parameter. An attacker can construct requests with a forged sessionId and, without performing openSession authentication, receive valid query results. This allows authentication bypass and unauthorized reading of time-series data. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.3.3 , < 2.0.8 (semver)
    Create a notification for this product.
    Credits
    Yan Nan (Detecon Security Lab)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 9.1,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24013",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T19:10:47.800876Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T19:11:12.339Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-07-06T20:37:57.934Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/07/06/11"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.0.8",
                  "status": "affected",
                  "version": "1.3.3",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yan Nan (Detecon Security Lab)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAuthentication Bypass by Spoofing vulnerability in Apache IoTDB.\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCertain Thrift RPC query handlers lack strict validation of the sessionId\nparameter. An attacker can construct requests with a forged sessionId and,\nwithout performing openSession authentication, receive valid query results.\nThis allows authentication bypass and unauthorized reading of time-series\ndata.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.8, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Authentication Bypass by Spoofing vulnerability in Apache IoTDB.\nCertain Thrift RPC query handlers lack strict validation of the sessionId\nparameter. An attacker can construct requests with a forged sessionId and,\nwithout performing openSession authentication, receive valid query results.\nThis allows authentication bypass and unauthorized reading of time-series\ndata.\n\n\nThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\n\nUsers are recommended to upgrade to version 2.0.8, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T08:38:54.778Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/6pwkgnqhbm56mvn309f87snm84s0b75y"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Authentication Bypass via Forged SessionID in Thrift RPC",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-24013",
        "datePublished": "2026-07-06T08:38:54.778Z",
        "dateReserved": "2026-01-20T02:32:08.414Z",
        "dateUpdated": "2026-07-06T20:37:57.934Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24012 (GCVE-0-2026-24012)

    Vulnerability from nvd – Published: 2026-07-06 08:38 – Updated: 2026-07-06 20:37
    VLAI
    Title
    Apache IoTDB: Denial of Service via Resource Exhaustion in Aggregation Query
    Summary
    Uncontrolled Resource Consumption vulnerability in Apache IoTDB.  Some interface fails to impose reasonable limits on the time span and aggregation interval of the query. An attacker can construct a request with extreme parameters (e.g., a very large time range combined with a minimal interval). This forces the DataNode to build an enormous result set in memory, which exhausts the Java heap and causes the DataNode process to crash. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.3.3 , < 2.0.8 (semver)
    Create a notification for this product.
    Credits
    Yan Nan (Detecon Security Lab)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24012",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T12:59:08.459706Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T12:59:14.486Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-07-06T20:37:56.860Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/07/06/10"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.0.8",
                  "status": "affected",
                  "version": "1.3.3",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yan Nan (Detecon Security Lab)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUncontrolled Resource Consumption vulnerability in Apache IoTDB.\u0026nbsp;\u003c/p\u003e\u003cp\u003eSome interface\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;fails to impose reasonable\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nlimits on the time span and aggregation interval of the query.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\ncan construct a request with extreme parameters (e.g., a very large time\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nrange combined with a minimal interval).\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis forces the DataNode to build\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nan enormous result set in memory, which exhausts the Java heap and causes\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nthe DataNode process to crash.\u003c/span\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.8, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Uncontrolled Resource Consumption vulnerability in Apache IoTDB.\u00a0\n\nSome interface\u00a0fails to impose reasonable\nlimits on the time span and aggregation interval of the query.\u00a0An attacker\ncan construct a request with extreme parameters (e.g., a very large time\nrange combined with a minimal interval).\u00a0This forces the DataNode to build\nan enormous result set in memory, which exhausts the Java heap and causes\nthe DataNode process to crash.\n\nThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\n\nUsers are recommended to upgrade to version 2.0.8, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T08:38:25.308Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/0g5th1t2vj6j8hm5t9w3xh9n6f6ht9z8"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Denial of Service via Resource Exhaustion in Aggregation Query",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-24012",
        "datePublished": "2026-07-06T08:38:25.308Z",
        "dateReserved": "2026-01-20T02:30:29.932Z",
        "dateUpdated": "2026-07-06T20:37:56.860Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24713 (GCVE-0-2026-24713)

    Vulnerability from nvd – Published: 2026-03-09 08:59 – Updated: 2026-03-10 17:55
    VLAI
    Title
    Apache IoTDB: JEXL Expression Injection Vulnerability
    Summary
    Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.0.0 , < 1.3.7 (semver)
    Affected: 2.0.0 , < 2.0.7 (semver)
    Create a notification for this product.
    Credits
    Yongzhi Liu of Tencent YunDing Security Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-03-09T09:19:57.439Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/03/09/4"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24713",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-10T17:55:24.372118Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-10T17:55:45.832Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "1.3.7",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yongzhi Liu of Tencent YunDing Security Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eImproper Input Validation vulnerability in Apache IoTDB.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Improper Input Validation vulnerability in Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7.\n\nUsers are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-09T08:59:59.259Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/vopgv6y2ccw403b0zv7rvojjrh7x1j5p"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: JEXL Expression Injection Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-24713",
        "datePublished": "2026-03-09T08:59:59.259Z",
        "dateReserved": "2026-01-26T02:40:07.150Z",
        "dateUpdated": "2026-03-10T17:55:45.832Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24015 (GCVE-0-2026-24015)

    Vulnerability from nvd – Published: 2026-03-09 08:57 – Updated: 2026-03-10 17:58
    VLAI
    Title
    Apache IoTDB: Insecure Default Configuration Vulnerability
    Summary
    A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1327 - Binding to an Unrestricted IP Address
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.0.0 , < 1.3.7 (semver)
    Affected: 2.0.0 , < 2.0.7 (semver)
    Create a notification for this product.
    Credits
    Mapta / BugBunny_ai
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-03-09T09:19:55.308Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/03/09/5"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24015",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-10T17:57:58.449781Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-10T17:58:18.381Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "1.3.7",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mapta / BugBunny_ai"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA vulnerability in Apache IoTDB.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "A vulnerability in Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7.\n\nUsers are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1327",
                  "description": "CWE-1327 Binding to an Unrestricted IP Address",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-09T08:57:45.745Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/j769ywdqm46zl3oz5lbffsldklg0ow7p"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Insecure Default Configuration Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-24015",
        "datePublished": "2026-03-09T08:57:45.745Z",
        "dateReserved": "2026-01-20T03:23:00.407Z",
        "dateUpdated": "2026-03-10T17:58:18.381Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-48459 (GCVE-0-2025-48459)

    Vulnerability from nvd – Published: 2025-09-24 07:57 – Updated: 2025-11-04 21:11
    VLAI
    Title
    Apache IoTDB: Deserialization of untrusted Data
    Summary
    Deserialization of Untrusted Data vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 2.0.5. Users are recommended to upgrade to version 2.0.5, which fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.0.0 , < 2.0.5 (semver)
    Create a notification for this product.
    Credits
    Sanny 75Acol stan fang Wu Jiang
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48459",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-24T18:47:45.575083Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-24T18:48:01.403Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T21:11:05.598Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/09/24/8"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.0.5",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sanny"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "75Acol"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "stan fang"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Wu Jiang"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eDeserialization of Untrusted Data vulnerability in Apache IoTDB.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 before 2.0.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.5, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Deserialization of Untrusted Data vulnerability in Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 1.0.0 before 2.0.5.\n\nUsers are recommended to upgrade to version 2.0.5, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-24T07:57:24.444Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/mr84n19nv8d0bmcrfsj3mm5ff5qn4q2f"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Deserialization of untrusted Data",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-48459",
        "datePublished": "2025-09-24T07:57:24.444Z",
        "dateReserved": "2025-05-22T06:25:16.580Z",
        "dateUpdated": "2025-11-04T21:11:05.598Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-48392 (GCVE-0-2025-48392)

    Vulnerability from nvd – Published: 2025-09-24 07:59 – Updated: 2025-11-04 21:11
    VLAI
    Title
    Apache IoTDB: DoS Vulnerability
    Summary
    A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4. Users are recommended to upgrade to version 2.0.5, which fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • DoS Vulnerability
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.3.3 , ≤ 1.3.4 (semver)
    Affected: 2.0.1-beta , ≤ 2.0.4 (semver)
    Create a notification for this product.
    Credits
    yyjLF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48392",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-24T18:47:15.364131Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-24T18:47:35.053Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T21:11:04.278Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/09/24/9"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.3.4",
                  "status": "affected",
                  "version": "1.3.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "2.0.4",
                  "status": "affected",
                  "version": "2.0.1-beta",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "yyjLF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA vulnerability in Apache IoTDB.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.5, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "A vulnerability in Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4.\n\nUsers are recommended to upgrade to version 2.0.5, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "DoS Vulnerability",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-24T07:59:52.592Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/1rn0637hptglmctf8cqd9425bj4q21td"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: DoS Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-48392",
        "datePublished": "2025-09-24T07:59:52.592Z",
        "dateReserved": "2025-05-20T01:52:06.367Z",
        "dateUpdated": "2025-11-04T21:11:04.278Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-26864 (GCVE-0-2025-26864)

    Vulnerability from nvd – Published: 2025-05-14 10:44 – Updated: 2025-05-19 18:41
    VLAI
    Title
    Apache IoTDB: Exposure of Sensitive Information in IoTDB OpenID Authentication
    Summary
    Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB. This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 0.10.0 , ≤ 1.3.3 (semver)
    Affected: 2.0.1-beta , < 2.0.2 (semver)
    Create a notification for this product.
    Credits
    Kyler Katz
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-05-14T11:04:06.072Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/05/14/4"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-26864",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-19T18:41:20.186388Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-19T18:41:38.927Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.3.3",
                  "status": "affected",
                  "version": "0.10.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.2",
                  "status": "affected",
                  "version": "2.0.1-beta",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kyler Katz"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eExposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOpenIdAuthorizer of\u003c/span\u003e Apache IoTDB.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.\u003c/p\u003e"
                }
              ],
              "value": "Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.\n\nUsers are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532 Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-14T10:44:12.712Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/2kcjnlypppk8qjh17dpz0jvkcpn6l162"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Exposure of Sensitive Information in IoTDB OpenID Authentication",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-26864",
        "datePublished": "2025-05-14T10:44:12.712Z",
        "dateReserved": "2025-02-17T09:52:26.132Z",
        "dateUpdated": "2025-05-19T18:41:38.927Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-26795 (GCVE-0-2025-26795)

    Vulnerability from nvd – Published: 2025-05-14 10:43 – Updated: 2025-05-19 18:43
    VLAI
    Title
    Apache IoTDB JDBC driver: Exposure of Sensitive Information in IoTDB JDBC driver
    Summary
    Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver. This issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB JDBC driver Affected: 0.10.0 , ≤ 1.3.3 (semver)
    Affected: 2.0.1-beta , < 2.0.2 (semver)
    Create a notification for this product.
    Credits
    Kyler Katz
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-05-14T11:04:03.962Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/05/14/3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-26795",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-19T18:43:03.448426Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-19T18:43:08.129Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.maven.apache.org/maven2",
              "defaultStatus": "unaffected",
              "packageName": "org.apache.iotdb:iotdb-jdbc",
              "product": "Apache IoTDB JDBC driver",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.3.3",
                  "status": "affected",
                  "version": "0.10.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.2",
                  "status": "affected",
                  "version": "2.0.1-beta",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kyler Katz"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eExposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver.\u003c/p\u003e\u003cp\u003eThis issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue.\u003c/p\u003e"
                }
              ],
              "value": "Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver.\n\nThis issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.\n\nUsers are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532 Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-14T10:43:05.586Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/bj0ytxr5wg0c4jw8xm7rhfd8ogho0r91"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB JDBC driver: Exposure of Sensitive Information in IoTDB JDBC driver",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-26795",
        "datePublished": "2025-05-14T10:43:05.586Z",
        "dateReserved": "2025-02-14T10:32:51.543Z",
        "dateUpdated": "2025-05-19T18:43:08.129Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-24780 (GCVE-0-2024-24780)

    Vulnerability from nvd – Published: 2025-05-14 10:42 – Updated: 2026-02-26 18:28
    VLAI
    Title
    Apache IoTDB: Remote Code Execution with untrusted URI of User-defined function
    Summary
    Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI. This issue affects Apache IoTDB: from 1.0.0 before 1.3.4. Users are recommended to upgrade to version 1.3.4, which fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Remote Code Execution with untrusted URI of User-defined function
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.0.0 , < 1.3.4 (semver)
    Create a notification for this product.
    Credits
    Y4 tacker Nbxiglk
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-05-14T11:03:09.771Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/05/14/2"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-24780",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-15T04:02:01.279763Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-94",
                    "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T18:28:09.987Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "1.3.4",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Y4 tacker"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Nbxiglk"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eRemote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has\u0026nbsp;privilege to create UDF can register malicious function from\u0026nbsp;untrusted URI.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 before 1.3.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.4, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has\u00a0privilege to create UDF can register malicious function from\u00a0untrusted URI.\n\nThis issue affects Apache IoTDB: from 1.0.0 before 1.3.4.\n\nUsers are recommended to upgrade to version 1.3.4, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Remote Code Execution with untrusted URI of User-defined function",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-14T10:42:20.580Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmj"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Remote Code Execution with untrusted URI of User-defined function",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2024-24780",
        "datePublished": "2025-05-14T10:42:20.580Z",
        "dateReserved": "2024-01-30T10:43:03.969Z",
        "dateUpdated": "2026-02-26T18:28:09.987Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-46226 (GCVE-0-2023-46226)

    Vulnerability from nvd – Published: 2024-01-15 10:35 – Updated: 2025-06-20 16:51
    VLAI
    Title
    Apache IoTDB: Remote Code Execution (RCE) risk via the UDF
    Summary
    Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2. Users are recommended to upgrade to version 1.3.0, which fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Remote code execution
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.0.0 , ≤ 1.2.2 (semver)
    Create a notification for this product.
    Credits
    Glassy of EagleCloud
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:37:40.189Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/293b4ob65ftnfwyf62fb9zh8gwdy38hg"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/01/15/1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-46226",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-16T19:33:03.388067Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-94",
                    "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-20T16:51:31.364Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.2.2",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Glassy of EagleCloud"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Remote Code Execution vulnerability in Apache IoTDB.\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 through 1.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.0, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2.\n\nUsers are recommended to upgrade to version 1.3.0, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Remote code execution",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-15T10:40:05.829Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/293b4ob65ftnfwyf62fb9zh8gwdy38hg"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2024/01/15/1"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Remote Code Execution (RCE) risk via the UDF",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-46226",
        "datePublished": "2024-01-15T10:35:49.810Z",
        "dateReserved": "2023-10-19T01:26:14.726Z",
        "dateUpdated": "2025-06-20T16:51:31.364Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-51656 (GCVE-0-2023-51656)

    Vulnerability from nvd – Published: 2023-12-21 11:47 – Updated: 2025-02-13 17:19
    VLAI
    Title
    Apache IoTDB: Unsafe deserialize map in Sync Tool
    Summary
    Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4. Users are recommended to upgrade to version 1.2.2, which fixes the issue.
    Severity
    No CVSS data available.
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 0.13.0 , ≤ 0.13.4 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:40:34.137Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/zy3klwpv11vl5n65josbfo2fyzxg3dxc"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/12/21/5"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "0.13.4",
                  "status": "affected",
                  "version": "0.13.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Deserialization of Untrusted Data vulnerability in Apache IoTDB.\u003cp\u003eThis issue affects Apache IoTDB: from 0.13.0 through 0.13.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.2.2, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4.\n\nUsers are recommended to upgrade to version 1.2.2, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-12-21T11:50:05.570Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/zy3klwpv11vl5n65josbfo2fyzxg3dxc"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2023/12/21/5"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Unsafe deserialize map in Sync Tool",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-51656",
        "datePublished": "2023-12-21T11:47:57.912Z",
        "dateReserved": "2023-12-21T10:48:18.431Z",
        "dateUpdated": "2025-02-13T17:19:46.209Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-24831 (GCVE-0-2023-24831)

    Vulnerability from nvd – Published: 2023-04-17 06:42 – Updated: 2024-10-21 14:17
    VLAI
    Title
    Apache IoTDB grafana-connector Login Bypass Vulnerability
    Summary
    Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3. Attackers could login without authorization. This is fixed in 0.13.4.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 0.13.0 , ≤ 0.13.3 (semver)
    Create a notification for this product.
    apache iotdb Affected: 0 , ≤ 0.13.3 (custom)
        cpe:2.3:a:apache:iotdb:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:03:19.260Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/3dgvzgstycf8b5hyf4z3n7cqdhcyln3l"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache:iotdb:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "iotdb",
                "vendor": "apache",
                "versions": [
                  {
                    "lessThanOrEqual": "0.13.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-24831",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-21T14:14:59.918874Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-21T14:17:36.529Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "0.13.3",
                  "status": "affected",
                  "version": "0.13.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.\u003cp\u003eThis issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3.\u003c/p\u003eAttackers could login without authorization. This is fixed in 0.13.4."
                }
              ],
              "value": "Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3.\n\nAttackers could login without authorization. This is fixed in 0.13.4."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-17T06:42:06.404Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/3dgvzgstycf8b5hyf4z3n7cqdhcyln3l"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB grafana-connector Login Bypass Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-24831",
        "datePublished": "2023-04-17T06:42:06.404Z",
        "dateReserved": "2023-01-30T15:53:19.799Z",
        "dateUpdated": "2024-10-21T14:17:36.529Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-24829 (GCVE-0-2023-24829)

    Vulnerability from nvd – Published: 2023-01-31 09:22 – Updated: 2025-03-27 17:13
    VLAI
    Title
    Apache IoTDB Workbench: apache/iotdb-web-workbench: forge the JWTToken to access workbench
    Summary
    Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.3 of iotdb-web-workbench onwards.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Workbench Affected: 0.13.0 , < 0.13.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:03:19.318Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/l0b59hh046tyn4gqot0bdrpg8gxlksmo"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-24829",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-27T17:13:16.567040Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-863",
                    "description": "CWE-863 Incorrect Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-27T17:13:42.494Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB Workbench",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "0.13.3",
                  "status": "affected",
                  "version": "0.13.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.\u003cp\u003eThis issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database.\u003cbr\u003e\u003cbr\u003eThis problem is fixed from version 0.13.3 of iotdb-web-workbench onwards.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database.\n\nThis problem is fixed from version 0.13.3 of iotdb-web-workbench onwards.\n\n\n"
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-08T16:15:06.910Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/l0b59hh046tyn4gqot0bdrpg8gxlksmo"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB Workbench: apache/iotdb-web-workbench: forge the JWTToken to access workbench",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-24829",
        "datePublished": "2023-01-31T09:22:41.587Z",
        "dateReserved": "2023-01-30T14:45:51.213Z",
        "dateUpdated": "2025-03-27T17:13:42.494Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-24830 (GCVE-0-2023-24830)

    Vulnerability from nvd – Published: 2023-01-30 16:25 – Updated: 2025-03-28 14:24
    VLAI
    Title
    Apache IoTDB Workbench: apache/iotdb-web-workbench: create a user without authorization
    Summary
    Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects iotdb-web-workbench component: from 0.13.0 before 0.13.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Workbench Affected: 0.13.0 , < 0.13.3 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:03:19.359Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/l4fon37687jz5ohgsnz2ko9fv400915t"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-24830",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-28T14:24:29.210796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-28T14:24:59.531Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB Workbench",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "0.13.3",
                  "status": "affected",
                  "version": "0.13.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.\u003cp\u003eThis issue affects iotdb-web-workbench component: from 0.13.0 before 0.13.3.\u003c/p\u003e"
                }
              ],
              "value": "Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects iotdb-web-workbench component: from 0.13.0 before 0.13.3.\n\n"
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-08T16:15:25.489Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/l4fon37687jz5ohgsnz2ko9fv400915t"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB Workbench: apache/iotdb-web-workbench: create a user without authorization",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-24830",
        "datePublished": "2023-01-30T16:25:33.163Z",
        "dateReserved": "2023-01-30T15:43:01.950Z",
        "dateUpdated": "2025-03-28T14:24:59.531Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-24013 (GCVE-0-2026-24013)

    Vulnerability from cvelistv5 – Published: 2026-07-06 08:38 – Updated: 2026-07-06 20:37
    VLAI
    Title
    Apache IoTDB: Authentication Bypass via Forged SessionID in Thrift RPC
    Summary
    Authentication Bypass by Spoofing vulnerability in Apache IoTDB. Certain Thrift RPC query handlers lack strict validation of the sessionId parameter. An attacker can construct requests with a forged sessionId and, without performing openSession authentication, receive valid query results. This allows authentication bypass and unauthorized reading of time-series data. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.3.3 , < 2.0.8 (semver)
    Create a notification for this product.
    Credits
    Yan Nan (Detecon Security Lab)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 9.1,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24013",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T19:10:47.800876Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T19:11:12.339Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-07-06T20:37:57.934Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/07/06/11"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.0.8",
                  "status": "affected",
                  "version": "1.3.3",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yan Nan (Detecon Security Lab)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAuthentication Bypass by Spoofing vulnerability in Apache IoTDB.\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCertain Thrift RPC query handlers lack strict validation of the sessionId\nparameter. An attacker can construct requests with a forged sessionId and,\nwithout performing openSession authentication, receive valid query results.\nThis allows authentication bypass and unauthorized reading of time-series\ndata.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.8, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Authentication Bypass by Spoofing vulnerability in Apache IoTDB.\nCertain Thrift RPC query handlers lack strict validation of the sessionId\nparameter. An attacker can construct requests with a forged sessionId and,\nwithout performing openSession authentication, receive valid query results.\nThis allows authentication bypass and unauthorized reading of time-series\ndata.\n\n\nThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\n\nUsers are recommended to upgrade to version 2.0.8, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T08:38:54.778Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/6pwkgnqhbm56mvn309f87snm84s0b75y"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Authentication Bypass via Forged SessionID in Thrift RPC",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-24013",
        "datePublished": "2026-07-06T08:38:54.778Z",
        "dateReserved": "2026-01-20T02:32:08.414Z",
        "dateUpdated": "2026-07-06T20:37:57.934Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24012 (GCVE-0-2026-24012)

    Vulnerability from cvelistv5 – Published: 2026-07-06 08:38 – Updated: 2026-07-06 20:37
    VLAI
    Title
    Apache IoTDB: Denial of Service via Resource Exhaustion in Aggregation Query
    Summary
    Uncontrolled Resource Consumption vulnerability in Apache IoTDB.  Some interface fails to impose reasonable limits on the time span and aggregation interval of the query. An attacker can construct a request with extreme parameters (e.g., a very large time range combined with a minimal interval). This forces the DataNode to build an enormous result set in memory, which exhausts the Java heap and causes the DataNode process to crash. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.3.3 , < 2.0.8 (semver)
    Create a notification for this product.
    Credits
    Yan Nan (Detecon Security Lab)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24012",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T12:59:08.459706Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T12:59:14.486Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-07-06T20:37:56.860Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/07/06/10"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.0.8",
                  "status": "affected",
                  "version": "1.3.3",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yan Nan (Detecon Security Lab)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUncontrolled Resource Consumption vulnerability in Apache IoTDB.\u0026nbsp;\u003c/p\u003e\u003cp\u003eSome interface\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;fails to impose reasonable\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nlimits on the time span and aggregation interval of the query.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\ncan construct a request with extreme parameters (e.g., a very large time\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nrange combined with a minimal interval).\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis forces the DataNode to build\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nan enormous result set in memory, which exhausts the Java heap and causes\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nthe DataNode process to crash.\u003c/span\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.8, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Uncontrolled Resource Consumption vulnerability in Apache IoTDB.\u00a0\n\nSome interface\u00a0fails to impose reasonable\nlimits on the time span and aggregation interval of the query.\u00a0An attacker\ncan construct a request with extreme parameters (e.g., a very large time\nrange combined with a minimal interval).\u00a0This forces the DataNode to build\nan enormous result set in memory, which exhausts the Java heap and causes\nthe DataNode process to crash.\n\nThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\n\nUsers are recommended to upgrade to version 2.0.8, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T08:38:25.308Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/0g5th1t2vj6j8hm5t9w3xh9n6f6ht9z8"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Denial of Service via Resource Exhaustion in Aggregation Query",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-24012",
        "datePublished": "2026-07-06T08:38:25.308Z",
        "dateReserved": "2026-01-20T02:30:29.932Z",
        "dateUpdated": "2026-07-06T20:37:56.860Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24014 (GCVE-0-2026-24014)

    Vulnerability from cvelistv5 – Published: 2026-07-06 08:34 – Updated: 2026-07-06 20:37
    VLAI
    Title
    Apache IoTDB: Path Traversal in DataNode Internal RPC Trigger JAR Upload Allows Arbitrary File Write
    Summary
    Apache IoTDB DataNode’s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name to write files outside the intended Trigger installation directory. This could allow arbitrary file write with the permissions of the IoTDB process. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.3.3 , < 2.0.8 (semver)
    Create a notification for this product.
    Credits
    Yan Nan (Detecon Security Lab).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24014",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T19:08:49.734562Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T19:09:10.935Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-07-06T20:37:58.998Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/07/06/12"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.0.8",
                  "status": "affected",
                  "version": "1.3.3",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yan Nan (Detecon Security Lab)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eApache IoTDB DataNode\u2019s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name to write files outside the intended Trigger installation directory. This could allow arbitrary file write with the permissions of the IoTDB process.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.8, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Apache IoTDB DataNode\u2019s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name to write files outside the intended Trigger installation directory. This could allow arbitrary file write with the permissions of the IoTDB process.\n\nThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\n\nUsers are recommended to upgrade to version 2.0.8, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T08:34:26.447Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/38298f803gb5j9nlhf0l9zkf34o90h3m"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Path Traversal in DataNode Internal RPC Trigger JAR Upload Allows Arbitrary File Write",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-24014",
        "datePublished": "2026-07-06T08:34:26.447Z",
        "dateReserved": "2026-01-20T03:04:59.061Z",
        "dateUpdated": "2026-07-06T20:37:58.998Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24713 (GCVE-0-2026-24713)

    Vulnerability from cvelistv5 – Published: 2026-03-09 08:59 – Updated: 2026-03-10 17:55
    VLAI
    Title
    Apache IoTDB: JEXL Expression Injection Vulnerability
    Summary
    Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.0.0 , < 1.3.7 (semver)
    Affected: 2.0.0 , < 2.0.7 (semver)
    Create a notification for this product.
    Credits
    Yongzhi Liu of Tencent YunDing Security Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-03-09T09:19:57.439Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/03/09/4"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24713",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-10T17:55:24.372118Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-10T17:55:45.832Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "1.3.7",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yongzhi Liu of Tencent YunDing Security Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eImproper Input Validation vulnerability in Apache IoTDB.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Improper Input Validation vulnerability in Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7.\n\nUsers are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-09T08:59:59.259Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/vopgv6y2ccw403b0zv7rvojjrh7x1j5p"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: JEXL Expression Injection Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-24713",
        "datePublished": "2026-03-09T08:59:59.259Z",
        "dateReserved": "2026-01-26T02:40:07.150Z",
        "dateUpdated": "2026-03-10T17:55:45.832Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24015 (GCVE-0-2026-24015)

    Vulnerability from cvelistv5 – Published: 2026-03-09 08:57 – Updated: 2026-03-10 17:58
    VLAI
    Title
    Apache IoTDB: Insecure Default Configuration Vulnerability
    Summary
    A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1327 - Binding to an Unrestricted IP Address
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.0.0 , < 1.3.7 (semver)
    Affected: 2.0.0 , < 2.0.7 (semver)
    Create a notification for this product.
    Credits
    Mapta / BugBunny_ai
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-03-09T09:19:55.308Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/03/09/5"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24015",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-10T17:57:58.449781Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-10T17:58:18.381Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "1.3.7",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mapta / BugBunny_ai"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA vulnerability in Apache IoTDB.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "A vulnerability in Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7.\n\nUsers are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1327",
                  "description": "CWE-1327 Binding to an Unrestricted IP Address",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-09T08:57:45.745Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/j769ywdqm46zl3oz5lbffsldklg0ow7p"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Insecure Default Configuration Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-24015",
        "datePublished": "2026-03-09T08:57:45.745Z",
        "dateReserved": "2026-01-20T03:23:00.407Z",
        "dateUpdated": "2026-03-10T17:58:18.381Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-48392 (GCVE-0-2025-48392)

    Vulnerability from cvelistv5 – Published: 2025-09-24 07:59 – Updated: 2025-11-04 21:11
    VLAI
    Title
    Apache IoTDB: DoS Vulnerability
    Summary
    A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4. Users are recommended to upgrade to version 2.0.5, which fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • DoS Vulnerability
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.3.3 , ≤ 1.3.4 (semver)
    Affected: 2.0.1-beta , ≤ 2.0.4 (semver)
    Create a notification for this product.
    Credits
    yyjLF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48392",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-24T18:47:15.364131Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-24T18:47:35.053Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T21:11:04.278Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/09/24/9"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.3.4",
                  "status": "affected",
                  "version": "1.3.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "2.0.4",
                  "status": "affected",
                  "version": "2.0.1-beta",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "yyjLF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA vulnerability in Apache IoTDB.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.5, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "A vulnerability in Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4.\n\nUsers are recommended to upgrade to version 2.0.5, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "DoS Vulnerability",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-24T07:59:52.592Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/1rn0637hptglmctf8cqd9425bj4q21td"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: DoS Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-48392",
        "datePublished": "2025-09-24T07:59:52.592Z",
        "dateReserved": "2025-05-20T01:52:06.367Z",
        "dateUpdated": "2025-11-04T21:11:04.278Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-48459 (GCVE-0-2025-48459)

    Vulnerability from cvelistv5 – Published: 2025-09-24 07:57 – Updated: 2025-11-04 21:11
    VLAI
    Title
    Apache IoTDB: Deserialization of untrusted Data
    Summary
    Deserialization of Untrusted Data vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 2.0.5. Users are recommended to upgrade to version 2.0.5, which fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.0.0 , < 2.0.5 (semver)
    Create a notification for this product.
    Credits
    Sanny 75Acol stan fang Wu Jiang
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48459",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-24T18:47:45.575083Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-24T18:48:01.403Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T21:11:05.598Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/09/24/8"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.0.5",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sanny"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "75Acol"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "stan fang"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Wu Jiang"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eDeserialization of Untrusted Data vulnerability in Apache IoTDB.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 before 2.0.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.5, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Deserialization of Untrusted Data vulnerability in Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 1.0.0 before 2.0.5.\n\nUsers are recommended to upgrade to version 2.0.5, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-24T07:57:24.444Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/mr84n19nv8d0bmcrfsj3mm5ff5qn4q2f"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Deserialization of untrusted Data",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-48459",
        "datePublished": "2025-09-24T07:57:24.444Z",
        "dateReserved": "2025-05-22T06:25:16.580Z",
        "dateUpdated": "2025-11-04T21:11:05.598Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-26864 (GCVE-0-2025-26864)

    Vulnerability from cvelistv5 – Published: 2025-05-14 10:44 – Updated: 2025-05-19 18:41
    VLAI
    Title
    Apache IoTDB: Exposure of Sensitive Information in IoTDB OpenID Authentication
    Summary
    Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB. This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 0.10.0 , ≤ 1.3.3 (semver)
    Affected: 2.0.1-beta , < 2.0.2 (semver)
    Create a notification for this product.
    Credits
    Kyler Katz
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-05-14T11:04:06.072Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/05/14/4"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-26864",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-19T18:41:20.186388Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-19T18:41:38.927Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.3.3",
                  "status": "affected",
                  "version": "0.10.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.2",
                  "status": "affected",
                  "version": "2.0.1-beta",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kyler Katz"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eExposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOpenIdAuthorizer of\u003c/span\u003e Apache IoTDB.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.\u003c/p\u003e"
                }
              ],
              "value": "Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.\n\nUsers are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532 Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-14T10:44:12.712Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/2kcjnlypppk8qjh17dpz0jvkcpn6l162"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Exposure of Sensitive Information in IoTDB OpenID Authentication",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-26864",
        "datePublished": "2025-05-14T10:44:12.712Z",
        "dateReserved": "2025-02-17T09:52:26.132Z",
        "dateUpdated": "2025-05-19T18:41:38.927Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-26795 (GCVE-0-2025-26795)

    Vulnerability from cvelistv5 – Published: 2025-05-14 10:43 – Updated: 2025-05-19 18:43
    VLAI
    Title
    Apache IoTDB JDBC driver: Exposure of Sensitive Information in IoTDB JDBC driver
    Summary
    Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver. This issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB JDBC driver Affected: 0.10.0 , ≤ 1.3.3 (semver)
    Affected: 2.0.1-beta , < 2.0.2 (semver)
    Create a notification for this product.
    Credits
    Kyler Katz
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-05-14T11:04:03.962Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/05/14/3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-26795",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-19T18:43:03.448426Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-19T18:43:08.129Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.maven.apache.org/maven2",
              "defaultStatus": "unaffected",
              "packageName": "org.apache.iotdb:iotdb-jdbc",
              "product": "Apache IoTDB JDBC driver",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.3.3",
                  "status": "affected",
                  "version": "0.10.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.2",
                  "status": "affected",
                  "version": "2.0.1-beta",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kyler Katz"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eExposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver.\u003c/p\u003e\u003cp\u003eThis issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue.\u003c/p\u003e"
                }
              ],
              "value": "Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver.\n\nThis issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.\n\nUsers are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532 Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-14T10:43:05.586Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/bj0ytxr5wg0c4jw8xm7rhfd8ogho0r91"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB JDBC driver: Exposure of Sensitive Information in IoTDB JDBC driver",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-26795",
        "datePublished": "2025-05-14T10:43:05.586Z",
        "dateReserved": "2025-02-14T10:32:51.543Z",
        "dateUpdated": "2025-05-19T18:43:08.129Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-24780 (GCVE-0-2024-24780)

    Vulnerability from cvelistv5 – Published: 2025-05-14 10:42 – Updated: 2026-02-26 18:28
    VLAI
    Title
    Apache IoTDB: Remote Code Execution with untrusted URI of User-defined function
    Summary
    Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI. This issue affects Apache IoTDB: from 1.0.0 before 1.3.4. Users are recommended to upgrade to version 1.3.4, which fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Remote Code Execution with untrusted URI of User-defined function
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.0.0 , < 1.3.4 (semver)
    Create a notification for this product.
    Credits
    Y4 tacker Nbxiglk
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-05-14T11:03:09.771Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/05/14/2"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-24780",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-15T04:02:01.279763Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-94",
                    "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T18:28:09.987Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "1.3.4",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Y4 tacker"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Nbxiglk"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eRemote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has\u0026nbsp;privilege to create UDF can register malicious function from\u0026nbsp;untrusted URI.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 before 1.3.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.4, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has\u00a0privilege to create UDF can register malicious function from\u00a0untrusted URI.\n\nThis issue affects Apache IoTDB: from 1.0.0 before 1.3.4.\n\nUsers are recommended to upgrade to version 1.3.4, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Remote Code Execution with untrusted URI of User-defined function",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-14T10:42:20.580Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmj"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Remote Code Execution with untrusted URI of User-defined function",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2024-24780",
        "datePublished": "2025-05-14T10:42:20.580Z",
        "dateReserved": "2024-01-30T10:43:03.969Z",
        "dateUpdated": "2026-02-26T18:28:09.987Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-46226 (GCVE-0-2023-46226)

    Vulnerability from cvelistv5 – Published: 2024-01-15 10:35 – Updated: 2025-06-20 16:51
    VLAI
    Title
    Apache IoTDB: Remote Code Execution (RCE) risk via the UDF
    Summary
    Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2. Users are recommended to upgrade to version 1.3.0, which fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Remote code execution
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 1.0.0 , ≤ 1.2.2 (semver)
    Create a notification for this product.
    Credits
    Glassy of EagleCloud
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:37:40.189Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/293b4ob65ftnfwyf62fb9zh8gwdy38hg"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/01/15/1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-46226",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-16T19:33:03.388067Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-94",
                    "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-20T16:51:31.364Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "1.2.2",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Glassy of EagleCloud"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Remote Code Execution vulnerability in Apache IoTDB.\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 through 1.2.2.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.0, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2.\n\nUsers are recommended to upgrade to version 1.3.0, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Remote code execution",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-15T10:40:05.829Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/293b4ob65ftnfwyf62fb9zh8gwdy38hg"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2024/01/15/1"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Remote Code Execution (RCE) risk via the UDF",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-46226",
        "datePublished": "2024-01-15T10:35:49.810Z",
        "dateReserved": "2023-10-19T01:26:14.726Z",
        "dateUpdated": "2025-06-20T16:51:31.364Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-51656 (GCVE-0-2023-51656)

    Vulnerability from cvelistv5 – Published: 2023-12-21 11:47 – Updated: 2025-02-13 17:19
    VLAI
    Title
    Apache IoTDB: Unsafe deserialize map in Sync Tool
    Summary
    Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4. Users are recommended to upgrade to version 1.2.2, which fixes the issue.
    Severity
    No CVSS data available.
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 0.13.0 , ≤ 0.13.4 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:40:34.137Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/zy3klwpv11vl5n65josbfo2fyzxg3dxc"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2023/12/21/5"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "0.13.4",
                  "status": "affected",
                  "version": "0.13.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Deserialization of Untrusted Data vulnerability in Apache IoTDB.\u003cp\u003eThis issue affects Apache IoTDB: from 0.13.0 through 0.13.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.2.2, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4.\n\nUsers are recommended to upgrade to version 1.2.2, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-12-21T11:50:05.570Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/zy3klwpv11vl5n65josbfo2fyzxg3dxc"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2023/12/21/5"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB: Unsafe deserialize map in Sync Tool",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-51656",
        "datePublished": "2023-12-21T11:47:57.912Z",
        "dateReserved": "2023-12-21T10:48:18.431Z",
        "dateUpdated": "2025-02-13T17:19:46.209Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-24831 (GCVE-0-2023-24831)

    Vulnerability from cvelistv5 – Published: 2023-04-17 06:42 – Updated: 2024-10-21 14:17
    VLAI
    Title
    Apache IoTDB grafana-connector Login Bypass Vulnerability
    Summary
    Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3. Attackers could login without authorization. This is fixed in 0.13.4.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Affected: 0.13.0 , ≤ 0.13.3 (semver)
    Create a notification for this product.
    apache iotdb Affected: 0 , ≤ 0.13.3 (custom)
        cpe:2.3:a:apache:iotdb:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:03:19.260Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/3dgvzgstycf8b5hyf4z3n7cqdhcyln3l"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache:iotdb:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "iotdb",
                "vendor": "apache",
                "versions": [
                  {
                    "lessThanOrEqual": "0.13.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-24831",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-21T14:14:59.918874Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-21T14:17:36.529Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "0.13.3",
                  "status": "affected",
                  "version": "0.13.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.\u003cp\u003eThis issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3.\u003c/p\u003eAttackers could login without authorization. This is fixed in 0.13.4."
                }
              ],
              "value": "Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3.\n\nAttackers could login without authorization. This is fixed in 0.13.4."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-17T06:42:06.404Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/3dgvzgstycf8b5hyf4z3n7cqdhcyln3l"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB grafana-connector Login Bypass Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-24831",
        "datePublished": "2023-04-17T06:42:06.404Z",
        "dateReserved": "2023-01-30T15:53:19.799Z",
        "dateUpdated": "2024-10-21T14:17:36.529Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-24829 (GCVE-0-2023-24829)

    Vulnerability from cvelistv5 – Published: 2023-01-31 09:22 – Updated: 2025-03-27 17:13
    VLAI
    Title
    Apache IoTDB Workbench: apache/iotdb-web-workbench: forge the JWTToken to access workbench
    Summary
    Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.3 of iotdb-web-workbench onwards.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache IoTDB Workbench Affected: 0.13.0 , < 0.13.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:03:19.318Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/l0b59hh046tyn4gqot0bdrpg8gxlksmo"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-24829",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-27T17:13:16.567040Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-863",
                    "description": "CWE-863 Incorrect Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-27T17:13:42.494Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache IoTDB Workbench",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "0.13.3",
                  "status": "affected",
                  "version": "0.13.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.\u003cp\u003eThis issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database.\u003cbr\u003e\u003cbr\u003eThis problem is fixed from version 0.13.3 of iotdb-web-workbench onwards.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database.\n\nThis problem is fixed from version 0.13.3 of iotdb-web-workbench onwards.\n\n\n"
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-08T16:15:06.910Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/l0b59hh046tyn4gqot0bdrpg8gxlksmo"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache IoTDB Workbench: apache/iotdb-web-workbench: forge the JWTToken to access workbench",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-24829",
        "datePublished": "2023-01-31T09:22:41.587Z",
        "dateReserved": "2023-01-30T14:45:51.213Z",
        "dateUpdated": "2025-03-27T17:13:42.494Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    VAR-202012-1529

    Vulnerability from variot - Updated: 2026-04-10 23:03

    A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. FasterXML Jackson is a data processing tool for Java developed by American FasterXML Company. There is a security vulnerability in FasterXML Jackson Databind, which can be exploited by an attacker to transmit malicious XML data to FasterXML Jackson Databind to read files, scan sites, or trigger a denial of service. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Solution:

    Before applying this update, make sure all previously released errata relevant to your system have been applied.

    Security Fix(es):

    • xmlgraphics-commons: SSRF due to improper input validation by the XMPParser (CVE-2020-11988)

    • xstream: allow a remote attacker to cause DoS only by manipulating the processed input stream (CVE-2021-21341)

    • xstream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21351)

    • xstream: arbitrary file deletion on the local host via crafted input stream (CVE-2021-21343)

    • xstream: arbitrary file deletion on the local host when unmarshalling (CVE-2020-26259)

    • xstream: ReDoS vulnerability (CVE-2021-21348)

    • xstream: Server-Side Forgery Request vulnerability can be activated when unmarshalling (CVE-2020-26258)

    • xstream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host (CVE-2021-21349)

    • xstream: SSRF via crafted input stream (CVE-2021-21342)

    • jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) (CVE-2020-25649)

    • xstream: allow a remote attacker to execute arbitrary code only by manipulating the processed input stream (CVE-2021-21350)

    • xstream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21347)

    • xstream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21346)

    • xstream: allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream (CVE-2021-21345)

    • xstream: arbitrary code execution via crafted input stream (CVE-2021-21344)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/):

    1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) 1908832 - CVE-2020-26258 XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling 1908837 - CVE-2020-26259 XStream: arbitrary file deletion on the local host when unmarshalling 1933816 - CVE-2020-11988 xmlgraphics-commons: SSRF due to improper input validation by the XMPParser 1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream 1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream 1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream 1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet 1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry 1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue 1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator 1942633 - CVE-2021-21348 XStream: ReDoS vulnerability 1942635 - CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host 1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader 1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream

    1. You must be logged in to download the update. See the following advisory for the container images for this release:

    https://access.redhat.com/errata/RHBA-2021:1427

    All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at

    https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor

    1. Solution:

    For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

    https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html

    Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html

    1. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

    ====================================================================
    Red Hat Security Advisory

    Synopsis: Important: Red Hat Data Grid 7.3.8 security update Advisory ID: RHSA-2020:5410-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2020:5410 Issue date: 2020-12-14 CVE Names: CVE-2020-25644 CVE-2020-25649 ==================================================================== 1. Summary:

    An update for Red Hat Data Grid is now available.

    Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

    1. Description:

    Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project.

    This release of Red Hat Data Grid 7.3.8 serves as a replacement for Red Hat Data Grid 7.3.7 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum.

    Security Fix(es):

    • wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)

    • jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) (CVE-2020-25649)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

    1. Solution:

    To install this update, do the following:

    1. Download the Data Grid 7.3.8 server patch from the customer portal. See the download link in the References section.
    2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.
    3. Install the Data Grid 7.3.8 server patch. Refer to the 7.3 Release Notes for patching instructions.
    4. Restart Data Grid to ensure the changes take effect.

    5. Bugs fixed (https://bugzilla.redhat.com/):

    1885485 - CVE-2020-25644 wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL 1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)

    1. References:

    https://access.redhat.com/security/cve/CVE-2020-25644 https://access.redhat.com/security/cve/CVE-2020-25649 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product\xdata.grid&downloadType=securityPatches&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/

    1. Contact:

    The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/

    Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1

    iQIVAwUBX9emjtzjgjWX9erEAQiNVxAAi0ep0/wcoyArgPwQSXS3a2JePbmC2VKe /29gx/nj70agJX62B9b5iA+UbbLsYuowH4UKcYII/cD4KWgPjk+G8TdGov2kWy9P OFtQvhP8f9reSlSWfEjzoMlTGfaUIg6xRsP6ClWpBr76xTxb/w07tGX8j1Mn9qjC s29Nfz8lYxWyDNhnUsnPNacDB7qIrHrv38eRqTn+jimZLrXtR8ktJWOmN96XRyIZ iuCkvpGOimVXugkqgITY6f0HYHFYOq6c05Q0M8sShz526l/ewnUpv0PtZzTwyCU6 OzyV5tcF/4VAHF7l/WoLV8R+jdXnq3Zqd1gx509Bwkg4VMNSXB0qBT7ldKmuYrBg BUvErN/LQ27g9kkKnQrLWWlxHTs687KxmNhGn9uKMzO0iBFq4/pt/aVh/RoAkO3H NnZ2SD6t3UAsyVZ/xeVENhzn5+0JT7qhtjwmtKy7PI04B/ikO37lJ4x9lNhhdevt DAuK/qiTTu7467v9V2g3dA8ke+2LVmITNNKrGxXcEvxdhA+m1dnzmzD1h3r8Rm2h NFF0zQlORj+DVQN7rbhx2bN62/C2z5R2J2OjOWZxlME9qste6cwGan3Z/r1xQUmp TXbH4S9aJsggZ6nfdRuWxvvLujiy7hniBPWVKGRx2Po1GawHflK2bA61zDeTesg4 QPDe2x7xQHE=DiHA -----END PGP SIGNATURE-----

    -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Summary:

    Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Description:

    The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

    The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a VM Portal, and a Representational State Transfer (REST) Application Programming Interface (API).

    Bug Fix(es):

    • Red Hat Virtualization Manager now requires Ansible 2.9.15. (BZ#1901946)

    • Solution:

    For details on how to apply this update, which includes the changes described in this advisory, refer to:

    https://access.redhat.com/articles/2974891

    1. Bugs fixed (https://bugzilla.redhat.com/):

    1627997 - [RFE] Allow SPM switching if all tasks have finished via REST-API 1702237 - [RFE] add API for listing disksnapshots under disk resource 1796231 - VM disk remains in locked state if image transfer (image download) timesout due to inactivity. 1868114 - RHV-M UI/Webadmin: The "Disk Snapshots" tab reflects incorrect "Creation Date" information. 1875951 - Disk hot-unplug fails on engine side with NPE in setDiskVmElements after unplugging from the VM. 1879655 - [RFE] Implement searching VM's with partial name or case sensitive vm names in VM Portal. 1880015 - oVirt metrics example Kibana dashboards are broken in Kibana 7.x 1881115 - RHEL VM icons squashed, please adhere to brand rules 1881357 - German language greeting page says Red Hat® 1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) 1893035 - rhv-log-collector-analyzer: check for double quotes in IPTablesConfigSiteCustom 1894298 - ModuleNotFoundError: No module named 'ovirt_engine' raised when starting ovirt-engine-dwhd.py in dev env 1901946 - [RFE] Bump ovirt-engine version lock to the newest Ansible version 1903385 - RFE: rhv-image-discrepancies should report if the truesize from VDSM has different size in images in the engine. 1903595 - [PPC] Can't add PPC host to Engine

    1. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

    7

    Show details on source website

    {
      "affected_products": {
        "_id": null,
        "data": [
          {
            "_id": null,
            "model": "insurance rules palette",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "11.3.0"
          },
          {
            "_id": null,
            "model": "banking platform",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "2.7.1"
          },
          {
            "_id": null,
            "model": "primavera gateway",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "17.7"
          },
          {
            "_id": null,
            "model": "jackson-databind",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "fasterxml",
            "version": "2.10.5.1"
          },
          {
            "_id": null,
            "model": "iotdb",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "apache",
            "version": "0.12.0"
          },
          {
            "_id": null,
            "model": "communications unified inventory management",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "7.4.1"
          },
          {
            "_id": null,
            "model": "banking platform",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "2.9.0"
          },
          {
            "_id": null,
            "model": "insurance policy administration",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "11.0.2"
          },
          {
            "_id": null,
            "model": "jackson-databind",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "fasterxml",
            "version": "2.9.10.7"
          },
          {
            "_id": null,
            "model": "retail service backbone",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "14.1.3.2"
          },
          {
            "_id": null,
            "model": "retail service backbone",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "15.0.3.1"
          },
          {
            "_id": null,
            "model": "retail xstore point of service",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "16.0.6"
          },
          {
            "_id": null,
            "model": "communications billing and revenue management",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "12.0.0.3.0"
          },
          {
            "_id": null,
            "model": "webcenter portal",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "12.2.1.3.0"
          },
          {
            "_id": null,
            "model": "webcenter portal",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "12.2.1.4.0"
          },
          {
            "_id": null,
            "model": "communications evolved communications application server",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "7.1"
          },
          {
            "_id": null,
            "model": "agile product lifecycle management integration pack",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "3.6"
          },
          {
            "_id": null,
            "model": "primavera gateway",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "19.12.0"
          },
          {
            "_id": null,
            "model": "jd edwards enterpriseone tools",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "9.2.5.3"
          },
          {
            "_id": null,
            "model": "coherence",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "14.1.1.0.0"
          },
          {
            "_id": null,
            "model": "oncommand workflow automation",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netapp",
            "version": null
          },
          {
            "_id": null,
            "model": "coherence",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "12.2.1.4.0"
          },
          {
            "_id": null,
            "model": "blockchain platform",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "21.1.2"
          },
          {
            "_id": null,
            "model": "communications interactive session recorder",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "6.4"
          },
          {
            "_id": null,
            "model": "agile plm",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "9.3.6"
          },
          {
            "_id": null,
            "model": "primavera gateway",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "17.12.0"
          },
          {
            "_id": null,
            "model": "primavera gateway",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "20.12.0"
          },
          {
            "_id": null,
            "model": "communications messaging server",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "8.0.2"
          },
          {
            "_id": null,
            "model": "jackson-databind",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "fasterxml",
            "version": "2.6.7.4"
          },
          {
            "_id": null,
            "model": "insurance rules palette",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "11.0.2"
          },
          {
            "_id": null,
            "model": "banking platform",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "2.10.0"
          },
          {
            "_id": null,
            "model": "commerce platform",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "11.3.2"
          },
          {
            "_id": null,
            "model": "service level manager",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netapp",
            "version": null
          },
          {
            "_id": null,
            "model": "retail xstore point of service",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "18.0.3"
          },
          {
            "_id": null,
            "model": "banking platform",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "2.6.2"
          },
          {
            "_id": null,
            "model": "communications pricing design center",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "12.0.0.4.0"
          },
          {
            "_id": null,
            "model": "banking apis",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "19.1"
          },
          {
            "_id": null,
            "model": "utilities framework",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "4.4.0.0.0"
          },
          {
            "_id": null,
            "model": "retail xstore point of service",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "20.0.1"
          },
          {
            "_id": null,
            "model": "jackson-databind",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "fasterxml",
            "version": "2.9.0"
          },
          {
            "_id": null,
            "model": "oncommand api services",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netapp",
            "version": null
          },
          {
            "_id": null,
            "model": "communications offline mediation controller",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "12.0.0.3"
          },
          {
            "_id": null,
            "model": "banking apis",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "18.1"
          },
          {
            "_id": null,
            "model": "health sciences empirica signal",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "9.0"
          },
          {
            "_id": null,
            "model": "health sciences empirica signal",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "9.1"
          },
          {
            "_id": null,
            "model": "retail xstore point of service",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "19.0.2"
          },
          {
            "_id": null,
            "model": "jd edwards enterpriseone orchestrator",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "9.2.5.3"
          },
          {
            "_id": null,
            "model": "insurance policy administration",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "11.1.0"
          },
          {
            "_id": null,
            "model": "banking apis",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "18.3"
          },
          {
            "_id": null,
            "model": "communications services gatekeeper",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "primavera gateway",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "19.12.10"
          },
          {
            "_id": null,
            "model": "retail xstore point of service",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "17.0.4"
          },
          {
            "_id": null,
            "model": "banking platform",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "2.7.0"
          },
          {
            "_id": null,
            "model": "fedora",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "fedoraproject",
            "version": "32"
          },
          {
            "_id": null,
            "model": "banking apis",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "20.1"
          },
          {
            "_id": null,
            "model": "jackson-databind",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "fasterxml",
            "version": "2.6.0"
          },
          {
            "_id": null,
            "model": "banking treasury management",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "4.4"
          },
          {
            "_id": null,
            "model": "commerce platform",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "11.3.0"
          },
          {
            "_id": null,
            "model": "jackson-databind",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "fasterxml",
            "version": "2.10.0"
          },
          {
            "_id": null,
            "model": "banking platform",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "2.8.0"
          },
          {
            "_id": null,
            "model": "primavera gateway",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "17.12"
          },
          {
            "_id": null,
            "model": "primavera gateway",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "17.12.11"
          },
          {
            "_id": null,
            "model": "retail service backbone",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "16.0.3"
          },
          {
            "_id": null,
            "model": "insurance policy administration",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "11.3.0"
          },
          {
            "_id": null,
            "model": "utilities framework",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "4.4.0.2.0"
          },
          {
            "_id": null,
            "model": "communications cloud native core unified data repository",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "1.4.0"
          },
          {
            "_id": null,
            "model": "commerce platform",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "11.2.0"
          },
          {
            "_id": null,
            "model": "utilities framework",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "4.3.0.5.0"
          },
          {
            "_id": null,
            "model": "banking apis",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "19.2"
          },
          {
            "_id": null,
            "model": "communications interactive session recorder",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "6.3"
          },
          {
            "_id": null,
            "model": "banking apis",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "21.1"
          },
          {
            "_id": null,
            "model": "communications convergent charging controller",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "12.0.4.0.0"
          },
          {
            "_id": null,
            "model": "communications instant messaging server",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "10.0.1.5.0"
          },
          {
            "_id": null,
            "model": "insurance rules palette",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "11.1.0"
          },
          {
            "_id": null,
            "model": "communications network charging and control",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "12.0.4.0.0"
          },
          {
            "_id": null,
            "model": "primavera gateway",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "18.8.11"
          },
          {
            "_id": null,
            "model": "communications billing and revenue management",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "7.5.0.23.0"
          },
          {
            "_id": null,
            "model": "primavera gateway",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "18.8.0"
          },
          {
            "_id": null,
            "model": "utilities framework",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "4.4.0.3.0"
          },
          {
            "_id": null,
            "model": "utilities framework",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "4.3.0.6.0"
          },
          {
            "_id": null,
            "model": "sd-wan edge",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "9.0"
          },
          {
            "_id": null,
            "model": "goldengate application adapters",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "19.1.0.0.0"
          },
          {
            "_id": null,
            "model": "quarkus",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "quarkus",
            "version": "1.6.1"
          },
          {
            "_id": null,
            "model": "communications messaging server",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "8.1"
          },
          {
            "_id": null,
            "model": "hitachi ops center analyzer viewpoint",
            "scope": null,
            "trust": 0.8,
            "vendor": "\u65e5\u7acb",
            "version": null
          },
          {
            "_id": null,
            "model": "service level manager",
            "scope": null,
            "trust": 0.8,
            "vendor": "netapp",
            "version": null
          },
          {
            "_id": null,
            "model": "oncommand workflow automation",
            "scope": null,
            "trust": 0.8,
            "vendor": "netapp",
            "version": null
          },
          {
            "_id": null,
            "model": "fedora",
            "scope": null,
            "trust": 0.8,
            "vendor": "fedora",
            "version": null
          },
          {
            "_id": null,
            "model": "oncommand api services",
            "scope": null,
            "trust": 0.8,
            "vendor": "netapp",
            "version": null
          },
          {
            "_id": null,
            "model": "quarkus",
            "scope": null,
            "trust": 0.8,
            "vendor": "quarkus",
            "version": null
          },
          {
            "_id": null,
            "model": "jackson-databind",
            "scope": null,
            "trust": 0.8,
            "vendor": "fasterxml",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014030"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25649"
          }
        ]
      },
      "credits": {
        "_id": null,
        "data": "Red Hat",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "162696"
          },
          {
            "db": "PACKETSTORM",
            "id": "163201"
          },
          {
            "db": "PACKETSTORM",
            "id": "159759"
          },
          {
            "db": "PACKETSTORM",
            "id": "162240"
          },
          {
            "db": "PACKETSTORM",
            "id": "159973"
          },
          {
            "db": "PACKETSTORM",
            "id": "162478"
          },
          {
            "db": "PACKETSTORM",
            "id": "160489"
          },
          {
            "db": "PACKETSTORM",
            "id": "161261"
          }
        ],
        "trust": 0.8
      },
      "cve": "CVE-2020-25649",
      "cvss": {
        "_id": null,
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 10.0,
                "id": "CVE-2020-25649",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 10.0,
                "id": "VHN-179648",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:N/C:N/I:P/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 3.9,
                "id": "CVE-2020-25649",
                "impactScore": 3.6,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "None",
                "baseScore": 7.5,
                "baseSeverity": "High",
                "confidentialityImpact": "None",
                "exploitabilityScore": null,
                "id": "CVE-2020-25649",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2020-25649",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "NVD",
                "id": "CVE-2020-25649",
                "trust": 0.8,
                "value": "High"
              },
              {
                "author": "VULHUB",
                "id": "VHN-179648",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-179648"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014030"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25649"
          }
        ]
      },
      "description": {
        "_id": null,
        "data": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. FasterXML Jackson is a data processing tool for Java developed by American FasterXML Company. There is a security vulnerability in FasterXML Jackson Databind, which can be exploited by an attacker to transmit malicious XML data to FasterXML Jackson Databind to read files, scan sites, or trigger a denial of service. The purpose of this text-only\nerrata is to inform you about the security issues fixed in this release. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nSecurity Fix(es):\n\n* xmlgraphics-commons: SSRF due to improper input validation by the\nXMPParser (CVE-2020-11988)\n\n* xstream: allow a remote attacker to cause DoS only by manipulating the\nprocessed input stream (CVE-2021-21341)\n\n* xstream: allow a remote attacker to load and execute arbitrary code from\na remote host only by manipulating the processed input stream\n(CVE-2021-21351)\n\n* xstream: arbitrary file deletion on the local host via crafted input\nstream (CVE-2021-21343)\n\n* xstream: arbitrary file deletion on the local host when unmarshalling\n(CVE-2020-26259)\n\n* xstream: ReDoS vulnerability (CVE-2021-21348)\n\n* xstream: Server-Side Forgery Request vulnerability can be activated when\nunmarshalling (CVE-2020-26258)\n\n* xstream: SSRF can be activated unmarshalling with XStream to access data\nstreams from an arbitrary URL referencing a resource in an intranet or the\nlocal host (CVE-2021-21349)\n\n* xstream: SSRF via crafted input stream (CVE-2021-21342)\n\n* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is\nvulnerable to XML external entity (XXE) (CVE-2020-25649)\n\n* xstream: allow a remote attacker to execute arbitrary code only by\nmanipulating the processed input stream (CVE-2021-21350)\n\n* xstream: allow a remote attacker to load and execute arbitrary code from\na remote host only by manipulating the processed input stream\n(CVE-2021-21347)\n\n* xstream: allow a remote attacker to load and execute arbitrary code from\na remote host only by manipulating the processed input stream\n(CVE-2021-21346)\n\n* xstream: allow a remote attacker who has sufficient rights to execute\ncommands of the host only by manipulating the processed input stream\n(CVE-2021-21345)\n\n* xstream: arbitrary code execution via crafted input stream\n(CVE-2021-21344)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/):\n\n1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)\n1908832 - CVE-2020-26258 XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling\n1908837 - CVE-2020-26259 XStream: arbitrary file deletion on the local host when unmarshalling\n1933816 - CVE-2020-11988 xmlgraphics-commons: SSRF due to improper input validation by the XMPParser\n1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream\n1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream\n1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream\n1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet\n1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry\n1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue\n1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator\n1942633 - CVE-2021-21348 XStream: ReDoS vulnerability\n1942635 - CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host\n1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader\n1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream\n\n5. You must be logged in to download the update. See the following advisory for the container images for\nthis release:\n\nhttps://access.redhat.com/errata/RHBA-2021:1427\n\nAll OpenShift Container Platform 4.6 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift Console\nor the CLI oc command. Instructions for upgrading a cluster are available\nat\n\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster\n- -between-minor.html#understanding-upgrade-channels_updating-cluster-between\n- -minor\n\n3. Solution:\n\nFor OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel\nease-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster\n- -cli.html\n\n4. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n====================================================================                   \nRed Hat Security Advisory\n\nSynopsis:          Important: Red Hat Data Grid 7.3.8 security update\nAdvisory ID:       RHSA-2020:5410-01\nProduct:           Red Hat JBoss Data Grid\nAdvisory URL:      https://access.redhat.com/errata/RHSA-2020:5410\nIssue date:        2020-12-14\nCVE Names:         CVE-2020-25644 CVE-2020-25649\n====================================================================\n1. Summary:\n\nAn update for Red Hat Data Grid is now available. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Description:\n\nRed Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the\nInfinispan project. \n\nThis release of Red Hat Data Grid 7.3.8 serves as a replacement for Red Hat\nData Grid 7.3.7 and includes bug fixes and enhancements, which are\ndescribed in the Release Notes, linked to in the References section of this\nerratum. \n\nSecurity Fix(es):\n\n* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL\n(CVE-2020-25644)\n\n* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is\nvulnerable to XML external entity (XXE) (CVE-2020-25649)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n3. Solution:\n\nTo install this update, do the following:\n\n1. Download the Data Grid 7.3.8 server patch from the customer portal. See\nthe download link in the References section. \n2. Back up your existing Data Grid installation. You should back up\ndatabases, configuration files, and so on. \n3. Install the Data Grid 7.3.8 server patch. Refer to the 7.3 Release Notes\nfor patching instructions. \n4. Restart Data Grid to ensure the changes take effect. \n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1885485 - CVE-2020-25644 wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL\n1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2020-25644\nhttps://access.redhat.com/security/cve/CVE-2020-25649\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product\\xdata.grid\u0026downloadType=securityPatches\u0026version=7.3\nhttps://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/\n\n6. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBX9emjtzjgjWX9erEAQiNVxAAi0ep0/wcoyArgPwQSXS3a2JePbmC2VKe\n/29gx/nj70agJX62B9b5iA+UbbLsYuowH4UKcYII/cD4KWgPjk+G8TdGov2kWy9P\nOFtQvhP8f9reSlSWfEjzoMlTGfaUIg6xRsP6ClWpBr76xTxb/w07tGX8j1Mn9qjC\ns29Nfz8lYxWyDNhnUsnPNacDB7qIrHrv38eRqTn+jimZLrXtR8ktJWOmN96XRyIZ\niuCkvpGOimVXugkqgITY6f0HYHFYOq6c05Q0M8sShz526l/ewnUpv0PtZzTwyCU6\nOzyV5tcF/4VAHF7l/WoLV8R+jdXnq3Zqd1gx509Bwkg4VMNSXB0qBT7ldKmuYrBg\nBUvErN/LQ27g9kkKnQrLWWlxHTs687KxmNhGn9uKMzO0iBFq4/pt/aVh/RoAkO3H\nNnZ2SD6t3UAsyVZ/xeVENhzn5+0JT7qhtjwmtKy7PI04B/ikO37lJ4x9lNhhdevt\nDAuK/qiTTu7467v9V2g3dA8ke+2LVmITNNKrGxXcEvxdhA+m1dnzmzD1h3r8Rm2h\nNFF0zQlORj+DVQN7rbhx2bN62/C2z5R2J2OjOWZxlME9qste6cwGan3Z/r1xQUmp\nTXbH4S9aJsggZ6nfdRuWxvvLujiy7hniBPWVKGRx2Po1GawHflK2bA61zDeTesg4\nQPDe2x7xQHE=DiHA\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. Summary:\n\nUpdated ovirt-engine packages that fix several bugs and add various\nenhancements are now available. Description:\n\nThe ovirt-engine package provides the Red Hat Virtualization Manager, a\ncentralized management platform that allows system administrators to view\nand manage virtual machines. The Manager provides a comprehensive range of\nfeatures including search capabilities, resource management, live\nmigrations, and virtual infrastructure provisioning. \n\nThe Manager is a JBoss Application Server application that provides several\ninterfaces through which the virtual environment can be accessed and\ninteracted with, including an Administration Portal, a VM Portal, and a\nRepresentational State Transfer (REST) Application Programming Interface\n(API). \n\nBug Fix(es):\n\n* Red Hat Virtualization Manager now requires Ansible 2.9.15. (BZ#1901946)\n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1627997 - [RFE] Allow SPM switching if all tasks have finished via REST-API\n1702237 - [RFE] add API for listing disksnapshots under disk resource\n1796231 - VM disk remains in locked state if image transfer (image download) timesout due to inactivity. \n1868114 - RHV-M UI/Webadmin:  The \"Disk Snapshots\" tab reflects incorrect \"Creation Date\" information. \n1875951 - Disk hot-unplug fails on engine side with NPE in setDiskVmElements after unplugging from the VM. \n1879655 - [RFE] Implement searching VM\u0027s with partial name or case sensitive vm names in VM Portal. \n1880015 - oVirt metrics example Kibana dashboards are broken in Kibana 7.x\n1881115 - RHEL VM icons squashed, please adhere to brand rules\n1881357 - German language greeting page says Red Hat\u00c2\u00ae\n1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)\n1893035 - rhv-log-collector-analyzer: check for double quotes in IPTablesConfigSiteCustom\n1894298 - ModuleNotFoundError: No module named \u0027ovirt_engine\u0027 raised when starting ovirt-engine-dwhd.py in dev env\n1901946 - [RFE] Bump ovirt-engine version lock to the newest Ansible version\n1903385 - RFE:  rhv-image-discrepancies should report if the truesize from VDSM has different size in images in the engine. \n1903595 - [PPC] Can\u0027t add PPC host to Engine\n\n6.  Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2020-25649"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014030"
          },
          {
            "db": "VULHUB",
            "id": "VHN-179648"
          },
          {
            "db": "PACKETSTORM",
            "id": "162696"
          },
          {
            "db": "PACKETSTORM",
            "id": "163201"
          },
          {
            "db": "PACKETSTORM",
            "id": "159759"
          },
          {
            "db": "PACKETSTORM",
            "id": "162240"
          },
          {
            "db": "PACKETSTORM",
            "id": "159973"
          },
          {
            "db": "PACKETSTORM",
            "id": "162478"
          },
          {
            "db": "PACKETSTORM",
            "id": "160489"
          },
          {
            "db": "PACKETSTORM",
            "id": "161261"
          }
        ],
        "trust": 2.43
      },
      "external_ids": {
        "_id": null,
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2020-25649",
            "trust": 2.7
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014030",
            "trust": 0.8
          },
          {
            "db": "PACKETSTORM",
            "id": "162478",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "159973",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "162696",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "160489",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "163201",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "159759",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "161261",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "162240",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "160349",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "160346",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "163205",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "160347",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "160348",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "159767",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "160554",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "159680",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "161766",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "160535",
            "trust": 0.1
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202010-622",
            "trust": 0.1
          },
          {
            "db": "VULHUB",
            "id": "VHN-179648",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-179648"
          },
          {
            "db": "PACKETSTORM",
            "id": "162696"
          },
          {
            "db": "PACKETSTORM",
            "id": "163201"
          },
          {
            "db": "PACKETSTORM",
            "id": "159759"
          },
          {
            "db": "PACKETSTORM",
            "id": "162240"
          },
          {
            "db": "PACKETSTORM",
            "id": "159973"
          },
          {
            "db": "PACKETSTORM",
            "id": "162478"
          },
          {
            "db": "PACKETSTORM",
            "id": "160489"
          },
          {
            "db": "PACKETSTORM",
            "id": "161261"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014030"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25649"
          }
        ]
      },
      "id": "VAR-202012-1529",
      "iot": {
        "_id": null,
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-179648"
          }
        ],
        "trust": 0.01
      },
      "last_update_date": "2026-04-10T23:03:15.588000Z",
      "patch": {
        "_id": null,
        "data": [
          {
            "title": "hitachi-sec-2021-111",
            "trust": 0.8,
            "url": "https://github.com/FasterXML/jackson-databind/issues/2589"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014030"
          }
        ]
      },
      "problemtype_data": {
        "_id": null,
        "data": [
          {
            "problemtype": "CWE-611",
            "trust": 1.1
          },
          {
            "problemtype": "XML Improper restrictions on external entity references (CWE-611) [ Other ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-179648"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014030"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25649"
          }
        ]
      },
      "references": {
        "_id": null,
        "data": [
          {
            "trust": 1.6,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2020-25649"
          },
          {
            "trust": 1.1,
            "url": "https://security.netapp.com/advisory/ntap-20210108-0007/"
          },
          {
            "trust": 1.1,
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664"
          },
          {
            "trust": 1.1,
            "url": "https://github.com/fasterxml/jackson-databind/issues/2589"
          },
          {
            "trust": 1.1,
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "trust": 1.1,
            "url": "https://www.oracle.com/security-alerts/cpuapr2021.html"
          },
          {
            "trust": 1.1,
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "trust": 1.1,
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "trust": 1.1,
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "trust": 1.1,
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b%40%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb%40%3creviews.iotdb.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c%40%3cissues.zookeeper.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402%40%3ccommits.karaf.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042%40%3creviews.iotdb.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54%40%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949%40%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3cdev.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4%40%3cnotifications.zookeeper.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc%40%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60%40%3creviews.iotdb.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3%40%3cuser.spark.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604%40%3cissues.zookeeper.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71%40%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54%40%3cissues.zookeeper.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2%40%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8%40%3cnotifications.iotdb.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1%40%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7%40%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07%40%3ccommits.iotdb.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956%40%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a%40%3cnotifications.zookeeper.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda%40%3ccommits.druid.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3%40%3cissues.zookeeper.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb%40%3cissues.zookeeper.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1%40%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd%40%3cissues.flink.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3cdev.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d%40%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca%40%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6x2ut4x6m7dlqyboohmxbwgyj65rl2ct/"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6%40%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e%40%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3cusers.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3cusers.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83%40%3ccommits.servicecomb.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3cdev.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3cusers.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34%40%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb%40%3ccommits.karaf.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3cusers.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd%40%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22%40%3ccommits.karaf.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805%40%3cnotifications.zookeeper.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386%40%3ccommits.turbine.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7%40%3ccommits.zookeeper.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3%40%3cissues.flink.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d%40%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130%40%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00%40%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61%40%3cdev.knox.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0%40%3cdev.zookeeper.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d%40%3ccommits.zookeeper.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1%40%3ccommits.karaf.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1%40%3cdev.hive.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5%40%3ccommits.zookeeper.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524%40%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3cdev.kafka.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb%40%3cdev.knox.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b%40%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a%40%3ccommits.tomee.apache.org%3e"
          },
          {
            "trust": 1.0,
            "url": "https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc%40%3ccommits.zookeeper.apache.org%3e"
          },
          {
            "trust": 0.9,
            "url": "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3cdev.kafka.apache.org%3e"
          },
          {
            "trust": 0.9,
            "url": "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3cusers.kafka.apache.org%3e"
          },
          {
            "trust": 0.9,
            "url": "https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc@%3ccommits.zookeeper.apache.org%3e"
          },
          {
            "trust": 0.9,
            "url": "https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d@%3ccommits.zookeeper.apache.org%3e"
          },
          {
            "trust": 0.9,
            "url": "https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7@%3ccommits.zookeeper.apache.org%3e"
          },
          {
            "trust": 0.9,
            "url": "https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5@%3ccommits.zookeeper.apache.org%3e"
          },
          {
            "trust": 0.8,
            "url": "https://bugzilla.redhat.com/):"
          },
          {
            "trust": 0.8,
            "url": "https://access.redhat.com/security/team/contact/"
          },
          {
            "trust": 0.8,
            "url": "https://access.redhat.com/security/cve/cve-2020-25649"
          },
          {
            "trust": 0.4,
            "url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
          },
          {
            "trust": 0.4,
            "url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
          },
          {
            "trust": 0.3,
            "url": "https://access.redhat.com/security/updates/classification/#important"
          },
          {
            "trust": 0.3,
            "url": "https://access.redhat.com/security/updates/classification/#low"
          },
          {
            "trust": 0.2,
            "url": "https://access.redhat.com/security/updates/classification/#moderate"
          },
          {
            "trust": 0.1,
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6x2ut4x6m7dlqyboohmxbwgyj65rl2ct/"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83@%3ccommits.servicecomb.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda@%3ccommits.druid.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3@%3cissues.flink.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd@%3cissues.flink.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1@%3cdev.hive.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d@%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd@%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34@%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b@%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7@%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00@%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1@%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524@%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc@%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949@%3cissues.hive.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07@%3ccommits.iotdb.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8@%3cnotifications.iotdb.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60@%3creviews.iotdb.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042@%3creviews.iotdb.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb@%3creviews.iotdb.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3cdev.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3cdev.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3cdev.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130@%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1@%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca@%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d@%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6@%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54@%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956@%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2@%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b@%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e@%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71@%3cjira.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3cusers.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3cusers.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3cusers.kafka.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402@%3ccommits.karaf.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb@%3ccommits.karaf.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1@%3ccommits.karaf.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22@%3ccommits.karaf.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb@%3cdev.knox.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61@%3cdev.knox.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3@%3cuser.spark.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a@%3ccommits.tomee.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386@%3ccommits.turbine.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0@%3cdev.zookeeper.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54@%3cissues.zookeeper.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c@%3cissues.zookeeper.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb@%3cissues.zookeeper.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3@%3cissues.zookeeper.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604@%3cissues.zookeeper.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805@%3cnotifications.zookeeper.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4@%3cnotifications.zookeeper.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a@%3cnotifications.zookeeper.apache.org%3e"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2020-25638"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2020-14040"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/articles/11258"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2020-14040"
          },
          {
            "trust": 0.1,
            "url": "https://catalog.redhat.com/software/operators/detail/5ef2818e7dc79430ca5f4fd2"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/errata/rhsa-2021:2039"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2020-25638"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-21350"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/errata/rhsa-2021:2475"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-21341"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2020-26258"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-21347"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-21349"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21341"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21342"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21351"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-21345"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2020-26259"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-21342"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-21344"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2020-26258"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21348"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-21348"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21344"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21349"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11988"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2020-11988"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21350"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-21346"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21347"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21345"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-21343"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21343"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21346"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-21351"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2020-26259"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=appplatform\u0026downloadtype=securitypatches\u0026version=7.3"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/errata/rhsa-2020:4402"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/errata/rhsa-2021:1260"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/documentation/en-us/red_hat_amq/"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product=jboss.amq.streams\u0026version=1.7.0"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/errata/rhsa-2020:4379"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/3.9/html/release_notes_for_eclipse_vert.x_3.9/index"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product\\xcatrhoar.eclipse.vertx\u0026version=3.9.4"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/errata/rhba-2021:1427"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-2163"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-27363"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20305"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-3347"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/errata/rhsa-2021:1429"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-27364"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-27365"
          },
          {
            "trust": 0.1,
            "url": "https://docs.openshift.com/container-platform/4.6/updating/updating-cluster"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-27363"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3447"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-3447"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3347"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-27365"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-27364"
          },
          {
            "trust": 0.1,
            "url": "https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2021-20305"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-2163"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/errata/rhsa-2020:5410"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2020-25644"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product\\xdata.grid\u0026downloadtype=securitypatches\u0026version=7.3"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2020-25644"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/articles/2974891"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/errata/rhsa-2021:0381"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/team/key/"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-179648"
          },
          {
            "db": "PACKETSTORM",
            "id": "162696"
          },
          {
            "db": "PACKETSTORM",
            "id": "163201"
          },
          {
            "db": "PACKETSTORM",
            "id": "159759"
          },
          {
            "db": "PACKETSTORM",
            "id": "162240"
          },
          {
            "db": "PACKETSTORM",
            "id": "159973"
          },
          {
            "db": "PACKETSTORM",
            "id": "162478"
          },
          {
            "db": "PACKETSTORM",
            "id": "160489"
          },
          {
            "db": "PACKETSTORM",
            "id": "161261"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014030"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25649"
          }
        ]
      },
      "sources": {
        "_id": null,
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-179648",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "162696",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "163201",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "159759",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "162240",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "159973",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "162478",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "160489",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "161261",
            "ident": null
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014030",
            "ident": null
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25649",
            "ident": null
          }
        ]
      },
      "sources_release_date": {
        "_id": null,
        "data": [
          {
            "date": "2020-12-03T00:00:00",
            "db": "VULHUB",
            "id": "VHN-179648",
            "ident": null
          },
          {
            "date": "2021-05-19T14:19:36",
            "db": "PACKETSTORM",
            "id": "162696",
            "ident": null
          },
          {
            "date": "2021-06-17T18:16:15",
            "db": "PACKETSTORM",
            "id": "163201",
            "ident": null
          },
          {
            "date": "2020-10-29T14:19:38",
            "db": "PACKETSTORM",
            "id": "159759",
            "ident": null
          },
          {
            "date": "2021-04-20T16:11:17",
            "db": "PACKETSTORM",
            "id": "162240",
            "ident": null
          },
          {
            "date": "2020-11-09T19:20:13",
            "db": "PACKETSTORM",
            "id": "159973",
            "ident": null
          },
          {
            "date": "2021-05-06T01:15:29",
            "db": "PACKETSTORM",
            "id": "162478",
            "ident": null
          },
          {
            "date": "2020-12-14T18:06:53",
            "db": "PACKETSTORM",
            "id": "160489",
            "ident": null
          },
          {
            "date": "2021-02-02T16:13:56",
            "db": "PACKETSTORM",
            "id": "161261",
            "ident": null
          },
          {
            "date": "2021-07-20T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2020-014030",
            "ident": null
          },
          {
            "date": "2020-12-03T17:15:12.503000",
            "db": "NVD",
            "id": "CVE-2020-25649",
            "ident": null
          }
        ]
      },
      "sources_update_date": {
        "_id": null,
        "data": [
          {
            "date": "2023-02-02T00:00:00",
            "db": "VULHUB",
            "id": "VHN-179648",
            "ident": null
          },
          {
            "date": "2021-07-20T04:50:00",
            "db": "JVNDB",
            "id": "JVNDB-2020-014030",
            "ident": null
          },
          {
            "date": "2024-11-21T05:18:20.343000",
            "db": "NVD",
            "id": "CVE-2020-25649",
            "ident": null
          }
        ]
      },
      "threat_type": {
        "_id": null,
        "data": "remote",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "162696"
          }
        ],
        "trust": 0.1
      },
      "title": {
        "_id": null,
        "data": "FasterXML\u00a0Jackson\u00a0Databind\u00a0 In \u00a0XML\u00a0 External entity vulnerabilities",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014030"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "_id": null,
        "data": "sql injection",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "162696"
          }
        ],
        "trust": 0.1
      }
    }