CVE-2023-46226
CRITICAL9.8EPSS 3.4%Remote Code Execution vulnerability in Apache IoTDB via UDF
Published: 1/15/2024Modified: 6/20/2025
Description
Remote Code Execution vulnerability in Apache IoTDB. This issue affects Apache IoTDB from 1.0.0 through 1.2.2. Users are recommended to upgrade to version 1.3.0, which fixes the issue.
Affected packages (3)
- Maven/org.apache.iotdb:iotdb-core>= 1.0.0, < 1.3.0
- PyPI/apache-iotdb>= 1.0.0, < 1.3.0
- PyPI/apache-iotdb>= 1.0.0, < 1.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-46226
- PATCHhttps://github.com/apache/iotdb
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2024-11.yaml
- WEBhttps://lists.apache.org/thread/293b4ob65ftnfwyf62fb9zh8gwdy38hg
- WEBhttp://www.openwall.com/lists/oss-security/2024/01/15/1