CRITICAL🇵🇱 Wersja polska

CVE-2024-24780

CVSS 9.8v3.1pub. 2025-05-14upd. 2025-07-01

Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI. This issue affects Apache IoTDB: from 1.0.0 before 1.3.4. Users are recommended to upgrade to version 1.3.4, which fixes the issue.

🤖 AI Analysis
How it works

Apache IoTDB allows users to register custom user-defined functions (UDF) by providing a URI pointing to a file with the function implementation. This mechanism does not sufficiently verify the trustworthiness of the provided URI, allowing an attacker with UDF creation privileges to point to a malicious external resource. Loading and executing code from such an untrusted URI leads to arbitrary code execution on the server side (RCE). The vulnerability is classified as CWE-94, which is uncontrolled code modification/injection.

Impact

An attacker can achieve full remote code execution (RCE) on the Apache IoTDB server, which may lead to violation of confidentiality, integrity and availability of data and the entire system.

Mitigation & patch

Apache IoTDB should be updated to version 1.3.4, which contains a fix eliminating this vulnerability. Additionally, it is recommended to review and restrict permissions to create UDF exclusively to trusted users.

Who is affected

Apache IoTDB in versions from 1.0.0 to 1.3.3 (before version 1.3.4)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Iotdb

    APP
    Apache
    1.0.0 – 1.3.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-24015CRITICAL9.8PL ✓ten sam produkt

Krytyczna podatność w Apache IoTDB (CVE-2026-24015)

CVE-2026-24713CRITICAL9.8PL ✓ten sam produkt

Nieprawidłowa walidacja danych wejściowych w Apache IoTDB — RCE/injection

CVE-2023-46226CRITICAL9.8PL ✓ten sam produkt

RCE w Apache IoTDB — zdalne wykonanie kodu bez uwierzytelnienia

CVE-2023-51656CRITICAL9.8PL ✓ten sam produkt

Deserializacja niezaufanych danych w Apache IoTDB (RCE)

CVE-2023-24831CRITICAL9.8ten sam produkt

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoT...