PT-2025-21135 · Apache · Apache Iotdb

Nbxiglk

Published

2025-05-14

Updated

2025-05-19

CVE-2024-24780

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Apache IoTDB versions 1.0.0 through 1.3.3

Description: The issue is related to a Remote Code Execution vulnerability with untrusted URI of UDF in Apache IoTDB. An attacker with privilege to create UDF can register a malicious function from an untrusted URI.

Recommendations: For Apache IoTDB versions 1.0.0 through 1.3.3, upgrade to version 1.3.4, which fixes the issue. As a temporary workaround, consider restricting the creation of UDFs to trusted sources until the upgrade is applied.

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2024-24780

GHSA-F4RQ-F4J9-F6RM

PYSEC-2025-59

Affected Products

Apache Iotdb

PT-2025-21135 · Apache · Apache Iotdb

CVE-2024-24780

Weakness Enumeration

Related Identifiers

Affected Products

References · 16