CVE-2026-24012 (GCVE-0-2026-24012)

Vulnerability from cvelistv5 – Published: 2026-07-06 08:38 – Updated: 2026-07-06 12:59
VLAI
Title
Apache IoTDB: Denial of Service via Resource Exhaustion in Aggregation Query
Summary
Uncontrolled Resource Consumption vulnerability in Apache IoTDB.  Some interface fails to impose reasonable limits on the time span and aggregation interval of the query. An attacker can construct a request with extreme parameters (e.g., a very large time range combined with a minimal interval). This forces the DataNode to build an enormous result set in memory, which exhausts the Java heap and causes the DataNode process to crash. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
Vendor Product Version
Apache Software Foundation Apache IoTDB Affected: 1.3.3 , < 2.0.8 (semver)
Create a notification for this product.
Credits
Yan Nan (Detecon Security Lab)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-24012",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-06T12:59:08.459706Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-06T12:59:14.486Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache IoTDB",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.0.8",
              "status": "affected",
              "version": "1.3.3",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Yan Nan (Detecon Security Lab)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUncontrolled Resource Consumption vulnerability in Apache IoTDB.\u0026nbsp;\u003c/p\u003e\u003cp\u003eSome interface\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;fails to impose reasonable\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nlimits on the time span and aggregation interval of the query.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\ncan construct a request with extreme parameters (e.g., a very large time\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nrange combined with a minimal interval).\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis forces the DataNode to build\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nan enormous result set in memory, which exhausts the Java heap and causes\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nthe DataNode process to crash.\u003c/span\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.8, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Uncontrolled Resource Consumption vulnerability in Apache IoTDB.\u00a0\n\nSome interface\u00a0fails to impose reasonable\nlimits on the time span and aggregation interval of the query.\u00a0An attacker\ncan construct a request with extreme parameters (e.g., a very large time\nrange combined with a minimal interval).\u00a0This forces the DataNode to build\nan enormous result set in memory, which exhausts the Java heap and causes\nthe DataNode process to crash.\n\nThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\n\nUsers are recommended to upgrade to version 2.0.8, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-06T08:38:25.308Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/0g5th1t2vj6j8hm5t9w3xh9n6f6ht9z8"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache IoTDB: Denial of Service via Resource Exhaustion in Aggregation Query",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-24012",
    "datePublished": "2026-07-06T08:38:25.308Z",
    "dateReserved": "2026-01-20T02:30:29.932Z",
    "dateUpdated": "2026-07-06T12:59:14.486Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-24012",
      "date": "2026-07-06",
      "epss": "0.00156",
      "percentile": "0.05196"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-24012\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-07-06T09:16:35.037\",\"lastModified\":\"2026-07-06T13:16:33.817\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Uncontrolled Resource Consumption vulnerability in Apache IoTDB.\u00a0\\n\\nSome interface\u00a0fails to impose reasonable\\nlimits on the time span and aggregation interval of the query.\u00a0An attacker\\ncan construct a request with extreme parameters (e.g., a very large time\\nrange combined with a minimal interval).\u00a0This forces the DataNode to build\\nan enormous result set in memory, which exhausts the Java heap and causes\\nthe DataNode process to crash.\\n\\nThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\\n\\nUsers are recommended to upgrade to version 2.0.8, which fixes the issue.\"}],\"affected\":[{\"source\":\"security@apache.org\",\"affectedData\":[{\"vendor\":\"Apache Software Foundation\",\"product\":\"Apache IoTDB\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"1.3.3\",\"lessThan\":\"2.0.8\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-06T12:59:08.459706Z\",\"id\":\"CVE-2026-24012\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/0g5th1t2vj6j8hm5t9w3xh9n6f6ht9z8\",\"source\":\"security@apache.org\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24012\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-06T12:59:08.459706Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-06T12:59:03.415Z\"}}], \"cna\": {\"title\": \"Apache IoTDB: Denial of Service via Resource Exhaustion in Aggregation Query\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Yan Nan (Detecon Security Lab)\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache IoTDB\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.3.3\", \"lessThan\": \"2.0.8\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/0g5th1t2vj6j8hm5t9w3xh9n6f6ht9z8\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Uncontrolled Resource Consumption vulnerability in Apache IoTDB.\\u00a0\\n\\nSome interface\\u00a0fails to impose reasonable\\nlimits on the time span and aggregation interval of the query.\\u00a0An attacker\\ncan construct a request with extreme parameters (e.g., a very large time\\nrange combined with a minimal interval).\\u00a0This forces the DataNode to build\\nan enormous result set in memory, which exhausts the Java heap and causes\\nthe DataNode process to crash.\\n\\nThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\\n\\nUsers are recommended to upgrade to version 2.0.8, which fixes the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUncontrolled Resource Consumption vulnerability in Apache IoTDB.\u0026nbsp;\u003c/p\u003e\u003cp\u003eSome interface\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;fails to impose reasonable\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\nlimits on the time span and aggregation interval of the query.\u0026nbsp;\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eAn attacker\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\ncan construct a request with extreme parameters (e.g., a very large time\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\nrange combined with a minimal interval).\u0026nbsp;\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eThis forces the DataNode to build\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\nan enormous result set in memory, which exhausts the Java heap and causes\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\nthe DataNode process to crash.\u003c/span\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.8, which fixes the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400 Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-07-06T08:38:25.308Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-24012\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-06T12:59:14.486Z\", \"dateReserved\": \"2026-01-20T02:30:29.932Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-07-06T08:38:25.308Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…