Multiple vulnerabilities in Apache IoTDB

Published: 2023-01-30

Risk	Low
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2023-24830 CVE-2023-24829
CWE-ID	CWE-254 CWE-285
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Apache IoTDB Server applications / Database software
Vendor	Apache Foundation

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Security features bypass

EUVDB-ID: #VU71662

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-24830

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to an error in iotdb-web-workbench. A remote authenticated user can create another user account without authorization.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Apache IoTDB: 0.13.0 - 0.13.2

External links

http://seclists.org/oss-sec/2023/q1/56

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Authorization

EUVDB-ID: #VU71661

Risk: Low

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-24829

CWE-ID: CWE-285 - Improper Authorization