=====================================================================

                                 CERT-Renater

                     Note d'Information No. 2022/VULN316

_____________________________________________________________________

DATE                : 06/09/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache IoTDB versions prior
                                  to 0.13.1.

=====================================================================
https://lists.apache.org/thread/kcpqgstvgf8sxy9ktxm1836nlwc8xy3j
https://lists.apache.org/thread/7nk03ywvx3t3yjbcxzt7zy4nyc89y9b0
_____________________________________________________________________


CVE-2022-38370: Apache IoTDB: No authorization of
DatabaseConnectController in grafana-connector.

Posted to dev@iotdb.apache.org

Haonan Hou - lundi 5 septembre 2022 10:42:49 UTC+2


Description:

Apache IoTDB grafana-connector version 0.13.0 contains an interface
without authorization, which may expose the internal structure of
database. Users should upgrade to version 0.13.1 which addresses
this issue.

____________________________________________________________

CVE-2022-38369: Apache IoTDB: Login check vulnerability by
session Id

Posted to dev@iotdb.apache.org

Haonan Hou - lundi 5 septembre 2022 10:41:38 UTC+2


Description:

Apache IoTDB version 0.13.0 is vulnerable by session id
attack. Users should upgrade to version 0.13.1 which
addresses this issue.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================