CRITICAL🇵🇱 Wersja polska

CVE-2023-51656

CVSS 9.8v3.1pub. 2023-12-21upd. 2025-02-13

Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4. Users are recommended to upgrade to version 1.2.2, which fixes the issue.

🤖 AI Analysis
How it works

The vulnerability results from improper handling of deserialization of data from untrusted sources. An attacker can send a specially crafted payload to a vulnerable Apache IoTDB endpoint, which will be deserialized without proper validation. This mechanism can lead to arbitrary code execution on the server side.

Impact

An attacker can gain full control over the system, including confidentiality, integrity, and availability of data — which corresponds to maximum CVSS component scores (C:H/I:H/A:H). The attack requires no authentication or user interaction.

Mitigation & patch

Apache IoTDB must be urgently updated to version 1.2.2 or later, which eliminates the described vulnerability.

Who is affected

Apache IoTDB in versions 0.13.0 to 0.13.4 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Iotdb

    APP
    Apache
    0.13.0 – 0.13.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2026-24713CRITICAL9.8PL ✓ten sam produkt

Nieprawidłowa walidacja danych wejściowych w Apache IoTDB — RCE/injection

CVE-2026-24015CRITICAL9.8PL ✓ten sam produkt

Krytyczna podatność w Apache IoTDB (CVE-2026-24015)

CVE-2024-24780CRITICAL9.8PL ✓ten sam produkt

Apache IoTDB: RCE przez rejestrację złośliwej funkcji UDF z niezaufanego URI

CVE-2023-46226CRITICAL9.8PL ✓ten sam produkt

RCE w Apache IoTDB — zdalne wykonanie kodu bez uwierzytelnienia

CVE-2023-24831CRITICAL9.8ten sam produkt

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoT...