Apache IoTDB prior to 0.13.3 allows DoS
CVE-2022-43766

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Iotdb
Vendor: CVE Published:; 26 October 2022

What is CVE-2022-43766?

Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it.

Affected Version(s)

Apache IoTDB <= 0.13.2

Apache IoTDB 0.12.2

References

https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 26, 2022
Vulnerability Reserved
Oct 26, 2022

Credit

This issue was discovered by 4ra1n of Chaitin Tech