cve-2024-24780
Vulnerability from cvelistv5
Published
2025-05-14 10:42
Modified
2025-05-15 04:01
Severity ?
Summary
Apache IoTDB: Remote Code Execution with untrusted URI of User-defined function
References
security@apache.orghttps://lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmj
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2025/05/14/2
Impacted products
Apache Software FoundationApache IoTDB
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-14T11:03:09.771Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/05/14/2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-24780",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-94",
                "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-15T04:01:59.925Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache IoTDB",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "1.3.4",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Y4 tacker"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Nbxiglk"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eRemote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has\u0026nbsp;privilege to create UDF can register malicious function from\u0026nbsp;untrusted URI.\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 before 1.3.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.4, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has\u00a0privilege to create UDF can register malicious function from\u00a0untrusted URI.\n\nThis issue affects Apache IoTDB: from 1.0.0 before 1.3.4.\n\nUsers are recommended to upgrade to version 1.3.4, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Remote Code Execution with untrusted URI of User-defined function",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-14T10:42:20.580Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmj"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache IoTDB: Remote Code Execution with untrusted URI of User-defined function",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-24780",
    "datePublished": "2025-05-14T10:42:20.580Z",
    "dateReserved": "2024-01-30T10:43:03.969Z",
    "dateUpdated": "2025-05-15T04:01:59.925Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-24780\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-05-14T11:15:47.683\",\"lastModified\":\"2025-05-16T14:43:56.797\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has\u00a0privilege to create UDF can register malicious function from\u00a0untrusted URI.\\n\\nThis issue affects Apache IoTDB: from 1.0.0 before 1.3.4.\\n\\nUsers are recommended to upgrade to version 1.3.4, which fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo con URI no confiable de UDF en Apache IoTDB. El atacante con privilegios para crear UDF puede registrar una funci\u00f3n maliciosa desde una URI no confiable. Este problema afecta a Apache IoTDB desde la versi\u00f3n 1.0.0 hasta la 1.3.4. Se recomienda actualizar a la versi\u00f3n 1.3.4, que soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmj\",\"source\":\"security@apache.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/05/14/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.