PyPI: apache-iotdb
CVE-2025-26864
Safety vulnerability ID: SFTY-20250514-57541
Safety legacy ID: pyup.io-78840
Affected versions of the Apache IoTDB package are vulnerable to Information Disclosure due to improper handling of sensitive data in log files. The OpenIdAuthorizer component logs sensitive authentication information, including credentials or tokens, to system log files without proper sanitization or redaction, exposing this data to unauthorized users with access to the log files.
Overview
Apache IoTDB Discloses Sensitive Information via Log Files
Advisory
Affected versions of the Apache IoTDB package are vulnerable to Information Disclosure due to improper handling of sensitive data in log files. The OpenIdAuthorizer component logs sensitive authentication information, including credentials or tokens, to system log files without proper sanitization or redaction, exposing this data to unauthorized users with access to the log files.
Affected Package
Also affects
---
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250514-57541/CVE-2025-26864
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26864
- https://github.com/advisories/GHSA-5fc3-pqf2-57cx
- https://nvd.nist.gov/vuln/detail/CVE-2025-26864
- https://lists.apache.org/thread/2kcjnlypppk8qjh17dpz0jvkcpn6l162
- http://www.openwall.com/lists/oss-security/2025/05/14/4
- https://github.com/apache/iotdb/pull/14863
- https://github.com/apache/iotdb/commit/34fcaff6b72470d5ad369307dde7fae8897aea7e
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2025-60.yaml
- https://github.com/advisories/GHSA-5fc3-pqf2-57cx
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more