PyPI: apache-iotdb
CVE-2022-43766
Safety vulnerability ID: SFTY-20221026-20361
Safety legacy ID: pyup.io-62772
Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it. Alias(es): GHSA-g6hg-4v3c-6jq7 PYSEC-2022-42972
Overview
Apache IoTDB subject to ReDOS with Java 8
Advisory
Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it. Alias(es): GHSA-g6hg-4v3c-6jq7 PYSEC-2022-42972
Affected Package
Also affects
---
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20221026-20361/CVE-2022-43766
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43766
- https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn
- https://lists.apache.org/thread/rxytj48q17304snonjtyt5lnlw64gccc
- https://nvd.nist.gov/vuln/detail/CVE-2022-43766
- https://nvd.nist.gov/vuln/detail/CVE-2022-43766
- https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2022-42972.yaml
- https://github.com/advisories/GHSA-g6hg-4v3c-6jq7
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more