Severity
High
Analysis Summary
CVE-2025-26795 CVSS:6.5
Apache IoTDB could allow a remote authenticated attacker to obtain sensitive information, caused by the insertion of sensitive information into log file in the JDBC driver.
CVE-2025-26864 CVSS:6.5
Apache IoTDB could allow a remote authenticated attacker to obtain sensitive information, caused by the insertion of sensitive information into log file in the OpenIdAuthorizer feature.
CVE-2025-47436 CVSS:6
A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption.
CVE-2025-46762 CVSS:9.8
Apache Parquet could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when reading an Avro schema from a Parquet file metadata.
CVE-2025-46392 CVSS:5.3
Apache Commons Configuration is vulnerable to a denial of service, caused by an error when loading untrusted configurations or using unexpected usage patterns. An attacker could exploit this vulnerability to allow excessive resource consumption.
Impact
- Buffer Overflow
- Information Disclosure
- Code Execution
- Denial of Service
Indicators of Compromise
CVE
CVE-2025-26795
CVE-2025-26864
CVE-2025-47436
CVE-2025-46762
CVE-2025-46392
Affected Vendors
Affected Products
- Apache IoTDB - 0.10.0 - 1.3.3 - 2.0.1-beta
- Apache ORC - 1.8.8
- Apache ORC - 1.9.0 - 1.9.5
- Apache ORC - 2.0.0 - 2.0.4
- Apache ORC - 2.1.0 - 2.1.1
- Apache Parquet - 1.15.2
- Apache Commons Configuration
Remediation
Upgrade to the latest version of Apache, available from the Apache Security Advisory.