Apache IoTDB Workbench: apache/iotdb-web-workbench: forge the JWTToken to access workbench
CVE-2023-30771

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Iotdb Workbench
Vendor: CVE Published:; 17 April 2023

Summary

An incorrect authorization vulnerability exists in the iotdb-web-workbench component of Apache IoTDB, affecting version 0.13.3. This component serves as a web console for database management but lacks proper authorization checks, potentially allowing unauthorized users to access secured functions. Users are advised to upgrade to version 0.13.4 or later to mitigate this security risk.

Affected Version(s)

Apache IoTDB Workbench 0.13.3 < 0.13.4

References

https://lists.apache.org/thread/08nc3dr6lshfppx0pzmz5vbgg...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/04/18/7

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 17, 2023
Vulnerability Reserved
Apr 16, 2023