GHSA-f4rq-f4j9-f6rm

Source

https://github.com/advisories/GHSA-f4rq-f4j9-f6rm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-f4rq-f4j9-f6rm/GHSA-f4rq-f4j9-f6rm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f4rq-f4j9-f6rm

Aliases

CVE-2024-24780

Published

2025-05-14T12:31:11Z

Modified

2025-05-15T17:57:08.182592Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Apache IoTDB Vulnerable to Remote Code Execution

Details

Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI.

This issue affects Apache IoTDB: from 1.0.0 before 1.3.4.

Users are recommended to upgrade to version 1.3.4, which fixes the issue.

Database specific

{
    "nvd_published_at": "2025-05-14T11:15:47Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-15T17:11:52Z"
}

References

Affected packages

Maven / org.apache.iotdb:iotdb-core

Package

Name: org.apache.iotdb:iotdb-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.iotdb/iotdb-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.3.4

Affected versions

1.*

1.3.0

1.3.1

1.3.2

1.3.3