Lucene search

Veracode Vulnerability DatabaseVERACODE:44784

HistoryDec 22, 2023 - 5:54 a.m.

Deserialization Of Untrusted Data

2023-12-2205:54:39

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

apache

iotdb

vulnerability

deserialization

untrusted

data

key/values

deviceownerfile

deserializedeviceownermap

objectoutputstream

arbitrary code execution

software

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

High

0.037 Low

EPSS

Percentile

91.8%

JSON

Apache IoTDB is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to directly deserializing the key/values from the deviceOwnerFile within the deSerializeDeviceOwnerMap method. Each key/value from the owner file is parsed directly using the ObjectOutputStream class, without proper string sanitization, which can result in arbitrary code execution.

CPENameOperatorVersion
iotdb: core: data-node (server)le1.2.1
iotdb: core: data-node (server)le1.2.1

CPE	Name	Operator	Version
	iotdb: core: data-node (server)	le	1.2.1
	iotdb: core: data-node (server)	le	1.2.1

References

www.openwall.com/lists/oss-security/2023/12/21/5

github.com/advisories/GHSA-f23h-52hj-99p6

github.com/apache/iotdb/commit/d747cb89991cacce19e85d7572d5afd7ab32e4a9

lists.apache.org/thread/zy3klwpv11vl5n65josbfo2fyzxg3dxc

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

High

0.037 Low

EPSS

Percentile

91.8%

JSON

Related for VERACODE:44784