Apache Iotdb

Apache IoTDB 1.3.31.3.4 & 2.0.1beta2.0.4 Vulnerability fixed in 2.0.5
CVE-2025-48392 7.5 - High - September 24, 2025

A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4. Users are recommended to upgrade to version 2.0.5, which fixes the issue.

Resource Exhaustion

Deserialization Vulnerability in Apache IoTDB 1.0.02.0.5
CVE-2025-48459 5.3 - Medium - September 24, 2025

Deserialization of Untrusted Data vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 2.0.5. Users are recommended to upgrade to version 2.0.5, which fixes the issue.

Marshaling, Unmarshaling

Apache IoTDB V0.10~2.0.1-beta: Sensitive Data Exposure in OpenIdAuthorizer
CVE-2025-26864 - May 14, 2025

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB. This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.

Information Disclosure

Apache IoTDB JDBC: Log File Info Disclosure v0.10.0–1.3.3, 2.0.1-beta
CVE-2025-26795 - May 14, 2025

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver. This issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue.

Insertion of Sensitive Information into Log File

Apache IoTDB RCE via Untrusted URI in UDF Registration (bef. 1.3.4)
CVE-2024-24780 - May 14, 2025

Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI. This issue affects Apache IoTDB: from 1.0.0 before 1.3.4. Users are recommended to upgrade to version 1.3.4, which fixes the issue.

Apache IoTDB RCE in v1.0.01.2.2 Fixed in 1.3.0
CVE-2023-46226 9.8 - Critical - January 15, 2024

Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2. Users are recommended to upgrade to version 1.3.0, which fixes the issue.

Deserialization Flaw in Apache IoTDB 0.13.00.13.4 (pre1.2.2)
CVE-2023-51656 9.8 - Critical - December 21, 2023

Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4. Users are recommended to upgrade to version 1.2.2, which fixes the issue.

Marshaling, Unmarshaling

Apache IoTDB iotdb-web-workbench 0.13.3 Incorrect Auth Vulnerability (before 0.13.4)
CVE-2023-30771 9.8 - Critical - April 17, 2023

Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component on 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.4 of iotdb-web-workbench onwards.

AuthZ

Apache IoTDB Grafana Conn Improper Auth v0.13.0-0.13.3
CVE-2023-24831 9.8 - Critical - April 17, 2023

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3. Attackers could login without authorization. This is fixed in 0.13.4.

authentification

Apache IoTDB iotdb-web-workbench <=0.13.2 Incorrect Auth
CVE-2023-24829 8.8 - High - January 31, 2023

Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.3 of iotdb-web-workbench onwards.

AuthZ

Apache IoTDB iotdb-web-workbench Improper Auth before 0.13.3
CVE-2023-24830 7.5 - High - January 30, 2023

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects iotdb-web-workbench component: from 0.13.0 before 0.13.3.

authentification

Apache IoTDB 0.12.2-0.12.6/0.13.0-0.13.2: RegExp DoS on Java 8
CVE-2022-43766 7.5 - High - October 26, 2022

Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it.

Apache IoTDB grafana-connector 0.13.0 Auth Bypass Exposes DB Schema
CVE-2022-38370 7.5 - High - September 05, 2022

Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Users should upgrade to version 0.13.1 which addresses this issue.

AuthZ

Apache IoTDB 0.13.0 Session ID Attack Vulnerability
CVE-2022-38369 8.8 - High - September 05, 2022

Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue.

Session Fixation

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly
CVE-2020-25649 7.5 - High - December 03, 2020

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

XXE

An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2
CVE-2020-1952 9.8 - Critical - April 27, 2020

An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2. When starting IoTDB, the JMX port 31999 is exposed with no certification.Then, clients could execute code remotely.

Improper Certificate Validation