Apache IoTDB subject to ReDOS with Java 8

GHSA-g6hg-4v3c-6jq7 · CVE-2022-43766 · PYSEC-2022-42972

Published Oct 26, 2022 · Modified Jun 9, 2026

Description

Apache IoTDB versions 0.12.2 through 0.12.6, and 0.13.0 through 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. This issue is patched in 0.13.3. Users should upgrade or use a later version of Java to avoid it.

References

7.5 / 10

HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Packages

Maven/org.apache.iotdb:flink-tsfile-connector

Fix 0.13.3

Introduced 0.12.2

8 affected versions

0.12.20.12.30.12.40.12.50.12.60.13.00.13.10.13.2

Maven/org.apache.iotdb:iotdb-server

Fix 0.13.3

Introduced 0.12.2

8 affected versions

0.12.20.12.30.12.40.12.50.12.60.13.00.13.10.13.2

Maven/org.apache.iotdb:tsfile

Fix 0.13.3

Introduced 0.12.2

8 affected versions

0.12.20.12.30.12.40.12.50.12.60.13.00.13.10.13.2

PyPI/apache-iotdb

Fix 0.13.3

Introduced 0.12.2

9 affected versions

0.12.20.12.30.12.40.12.50.12.60.13.00.13.0.post10.13.10.13.2

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes