CVE-2026-24012 (GCVE-0-2026-24012)
Vulnerability from cvelistv5 – Published: 2026-07-06 08:38 – Updated: 2026-07-06 12:59
VLAI
Title
Apache IoTDB: Denial of Service via Resource Exhaustion in Aggregation Query
Summary
Uncontrolled Resource Consumption vulnerability in Apache IoTDB.
Some interface fails to impose reasonable
limits on the time span and aggregation interval of the query. An attacker
can construct a request with extreme parameters (e.g., a very large time
range combined with a minimal interval). This forces the DataNode to build
an enormous result set in memory, which exhausts the Java heap and causes
the DataNode process to crash.
This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.
Users are recommended to upgrade to version 2.0.8, which fixes the issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/0g5th1t2vj6j8hm5t… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache IoTDB |
Affected:
1.3.3 , < 2.0.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-24012",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T12:59:08.459706Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T12:59:14.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache IoTDB",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.8",
"status": "affected",
"version": "1.3.3",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yan Nan (Detecon Security Lab)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUncontrolled Resource Consumption vulnerability in Apache IoTDB.\u0026nbsp;\u003c/p\u003e\u003cp\u003eSome interface\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;fails to impose reasonable\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nlimits on the time span and aggregation interval of the query.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\ncan construct a request with extreme parameters (e.g., a very large time\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nrange combined with a minimal interval).\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis forces the DataNode to build\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nan enormous result set in memory, which exhausts the Java heap and causes\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nthe DataNode process to crash.\u003c/span\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.8, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Uncontrolled Resource Consumption vulnerability in Apache IoTDB.\u00a0\n\nSome interface\u00a0fails to impose reasonable\nlimits on the time span and aggregation interval of the query.\u00a0An attacker\ncan construct a request with extreme parameters (e.g., a very large time\nrange combined with a minimal interval).\u00a0This forces the DataNode to build\nan enormous result set in memory, which exhausts the Java heap and causes\nthe DataNode process to crash.\n\nThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\n\nUsers are recommended to upgrade to version 2.0.8, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T08:38:25.308Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/0g5th1t2vj6j8hm5t9w3xh9n6f6ht9z8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache IoTDB: Denial of Service via Resource Exhaustion in Aggregation Query",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-24012",
"datePublished": "2026-07-06T08:38:25.308Z",
"dateReserved": "2026-01-20T02:30:29.932Z",
"dateUpdated": "2026-07-06T12:59:14.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-24012",
"date": "2026-07-06",
"epss": "0.00156",
"percentile": "0.05196"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-24012\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-07-06T09:16:35.037\",\"lastModified\":\"2026-07-06T13:16:33.817\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Uncontrolled Resource Consumption vulnerability in Apache IoTDB.\u00a0\\n\\nSome interface\u00a0fails to impose reasonable\\nlimits on the time span and aggregation interval of the query.\u00a0An attacker\\ncan construct a request with extreme parameters (e.g., a very large time\\nrange combined with a minimal interval).\u00a0This forces the DataNode to build\\nan enormous result set in memory, which exhausts the Java heap and causes\\nthe DataNode process to crash.\\n\\nThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\\n\\nUsers are recommended to upgrade to version 2.0.8, which fixes the issue.\"}],\"affected\":[{\"source\":\"security@apache.org\",\"affectedData\":[{\"vendor\":\"Apache Software Foundation\",\"product\":\"Apache IoTDB\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"1.3.3\",\"lessThan\":\"2.0.8\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-06T12:59:08.459706Z\",\"id\":\"CVE-2026-24012\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/0g5th1t2vj6j8hm5t9w3xh9n6f6ht9z8\",\"source\":\"security@apache.org\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24012\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-06T12:59:08.459706Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-06T12:59:03.415Z\"}}], \"cna\": {\"title\": \"Apache IoTDB: Denial of Service via Resource Exhaustion in Aggregation Query\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Yan Nan (Detecon Security Lab)\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache IoTDB\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.3.3\", \"lessThan\": \"2.0.8\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/0g5th1t2vj6j8hm5t9w3xh9n6f6ht9z8\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Uncontrolled Resource Consumption vulnerability in Apache IoTDB.\\u00a0\\n\\nSome interface\\u00a0fails to impose reasonable\\nlimits on the time span and aggregation interval of the query.\\u00a0An attacker\\ncan construct a request with extreme parameters (e.g., a very large time\\nrange combined with a minimal interval).\\u00a0This forces the DataNode to build\\nan enormous result set in memory, which exhausts the Java heap and causes\\nthe DataNode process to crash.\\n\\nThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\\n\\nUsers are recommended to upgrade to version 2.0.8, which fixes the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUncontrolled Resource Consumption vulnerability in Apache IoTDB.\u0026nbsp;\u003c/p\u003e\u003cp\u003eSome interface\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;fails to impose reasonable\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\nlimits on the time span and aggregation interval of the query.\u0026nbsp;\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eAn attacker\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\ncan construct a request with extreme parameters (e.g., a very large time\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\nrange combined with a minimal interval).\u0026nbsp;\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eThis forces the DataNode to build\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\nan enormous result set in memory, which exhausts the Java heap and causes\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\nthe DataNode process to crash.\u003c/span\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.8, which fixes the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400 Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-07-06T08:38:25.308Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-24012\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-06T12:59:14.486Z\", \"dateReserved\": \"2026-01-20T02:30:29.932Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-07-06T08:38:25.308Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…