Severity
High
Analysis Summary
CVE-2023-30771 CVSS:8.6
Apache IoTDB could allow a remote attacker to bypass security restrictions, caused by improper authorization validation by the iotdb-web-workbench component. By sending a specially crafted request, an attacker could exploit this vulnerability to forge the JWTToken to access workbench.
CVE-2023-24831 CVSS:10
Apache IoTDB could allow a remote attacker to bypass security restrictions, caused by improper authentication validation. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVE-2023-25504 CVSS:7.1
Apache Superset is vulnerable to server-side request forgery, caused by a flaw in the import dataset feature. By using a specially crafted argument, an attacker could exploit this vulnerability to conduct SSRF attack to query internal resources.
CVE-2023-27525 CVSS:6.5
Apache Superset could allow a remote authenticate attacker to obtain sensitive information, caused by improper authorization validation. By sending a specially crafted request using non trivial methods, an attacker could exploit this vulnerability to obtain metadata information, and use this information to launch further attacks against the affected system.
Impact
- Security Bypass
- Information Disclosure
- Gain Access
Indicators Of Compromise
CVE
- CVE-2023-30771
- CVE-2023-24831
- CVE-2023-25504
- CVE-2023-27525
Affected Vendors
Apache
Affected Products
- Apache IoTDB 0.13.0
- Apache IoTDB 0.13.1
- Apache IoTDB 0.13.2
- Apache IoTDB 0.13.3
- Apache Superset 2.0.1
Remediation
Upgrade to the latest version of Apache IoTDB and Apache Superset, available from the Apache Web site.