CVE-2022-43766

CWE-400 — Uncontrolled Resource Consumption5 documents4 sources

Severity

7.5HIGH

EPSS

2.3%

top 15.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Iotdb Apache Iotdb

Timeline

PublishedOct 26

Description

Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶PyPIapache-iotdb0.12.2 — 0.13.3+2

▶Mavenorg.apache.iotdb:tsfile0.12.2 — 0.13.3

▶Mavenorg.apache.iotdb:iotdb-server0.12.2 — 0.13.3

▶CVEListV5apache_software_foundation/apache_iotdb0.12.2 — unspecified+1

▶Mavenorg.apache.iotdb:flink-tsfile-connector0.12.2 — 0.13.3

🔴Vulnerability Details

GHSA

Apache IoTDB subject to ReDOS with Java 8↗2022-10-26

▶

OSV

Apache IoTDB subject to ReDOS with Java 8↗2022-10-26

▶

CVEList

Apache IoTDB prior to 0.13.3 allows DoS↗2022-10-26

▶

OSV

CVE-2022-43766: Apache IoTDB version 0↗2022-10-26

▶