oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-26864: Apache IoTDB: Exposure of Sensitive Information in IoTDB OpenID Authentication

From: Haonan Hou <haonan () apache org>
Date: Wed, 14 May 2025 01:34:05 +0000
Severity: low

Affected versions:

- Apache IoTDB 0.10.0 through 1.3.3
- Apache IoTDB 2.0.1-beta before 2.0.2

Description:

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File 
vulnerability in the OpenIdAuthorizer of Apache IoTDB.

This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.

Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.

Credit:

Kyler Katz (finder)

References:

https://iotdb.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-26864
Previous By Date Next
Previous By Thread Next

Current thread: