PyPI package
apache-iotdb
pkg:pypi/apache-iotdb
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-48459 | — | >= 1.0.0, < 2.0.5 | 2.0.5 | Sep 24, 2025 | Deserialization of Untrusted Data vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 2.0.5. Users are recommended to upgrade to version 2.0.5, which fixes the issue. | ||
| CVE-2025-26864 | — | >= 0.10.0, < 1.3.4 | 1.3.4 | May 14, 2025 | Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB. This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to | ||
| CVE-2024-24780 | — | >= 1.0.0, < 1.3.4 | 1.3.4 | May 14, 2025 | Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI. This issue affects Apache IoTDB: from 1.0.0 before 1.3.4. Users are recommended to upgrade to version | ||
| CVE-2023-46226 | Cri | 9.8 | >= 1.0.0, < 1.3.0 | 1.3.0 | Jan 15, 2024 | Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2. Users are recommended to upgrade to version 1.3.0, which fixes the issue. | |
| CVE-2023-24831 | Cri | 9.8 | >= 0.13.0, < 0.13.5 | 0.13.5 | Apr 17, 2023 | Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3. Attackers could login without authorization. This is fixed in 0.13.4. | |
| CVE-2022-43766 | Hig | 7.5 | >= 0.12.2, < 0.13.3 | 0.13.3 | Oct 26, 2022 | Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it. | |
| CVE-2022-38369 | Hig | 8.8 | < 0.13.1 | 0.13.1 | Sep 5, 2022 | Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue. |
- CVE-2025-48459Sep 24, 2025affected >= 1.0.0, < 2.0.5fixed 2.0.5
Deserialization of Untrusted Data vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 2.0.5. Users are recommended to upgrade to version 2.0.5, which fixes the issue.
- CVE-2025-26864May 14, 2025affected >= 0.10.0, < 1.3.4fixed 1.3.4
Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB. This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to
- CVE-2024-24780May 14, 2025affected >= 1.0.0, < 1.3.4fixed 1.3.4
Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI. This issue affects Apache IoTDB: from 1.0.0 before 1.3.4. Users are recommended to upgrade to version
- affected >= 1.0.0, < 1.3.0fixed 1.3.0
Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2. Users are recommended to upgrade to version 1.3.0, which fixes the issue.
- affected >= 0.13.0, < 0.13.5fixed 0.13.5
Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3. Attackers could login without authorization. This is fixed in 0.13.4.
- affected >= 0.12.2, < 0.13.3fixed 0.13.3
Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it.
- affected < 0.13.1fixed 0.13.1
Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue.