CVE-2020-1952
Improper Certificate Validation in Apache IoTDB
9.8
CRITICAL
CVSS 3.1
EPSS 1.7%
Description
An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2. When starting IoTDB, the JMX port 31999 is exposed with no certification.Then, clients could execute code remotely.
How to fix CVE-2020-1952
To remediate CVE-2020-1952, upgrade the affected package to a fixed version below.
- Maven/org.apache.iotdb:iotdb-parent—upgrade to 0.9.2 or later
Is CVE-2020-1952 being exploited?
Low — EPSS is 1.7%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.9.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |