Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN271 _____________________________________________________________________ DATE : 09/03/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache IoTDB versions prior to 1.3.6, 2.0.6. ===================================================================== https://lists.apache.org/thread/ph91p0z9pyv4lfw0m0jd81cv3825nz5h https://lists.apache.org/thread/wdxmvf2b34yljf7vzjvvttdm1dk3p5b5 https://lists.apache.org/thread/mckxowd1pfrx2qrqk8pwncn84fbfrhf0 https://lists.apache.org/thread/033o55hjtlfvdtsxh7yhwp7lzw08152h _____________________________________________________________________ CVE-2026-24015: Apache IoTDB: Insecure Default Configuration Vulnerability Severity: important Affected versions: - Apache IoTDB 1.0.0 before 1.3.7 - Apache IoTDB 2.0.0 before 2.0.7 Description: A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue. Credit: Mapta / BugBunny_ai (finder) References: https://iotdb.apache.org https://www.cve.org/CVERecord?id=CVE-2026-24015 _____________________________________________________________________ CVE-2026-24713: Apache IoTDB: JEXL Expression Injection Vulnerability Severity: important Affected versions: - Apache IoTDB 1.0.0 before 1.3.7 - Apache IoTDB 2.0.0 before 2.0.7 Description: Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue. Credit: Yongzhi Liu of Tencent YunDing Security Lab (finder) References: https://iotdb.apache.org https://www.cve.org/CVERecord?id=CVE-2026-24713 _____________________________________________________________________ CVE-2025-64152: Apache IoTDB: Path Traversal Vulnerability Severity: low Affected versions: - Apache IoTDB 1.0.0 before 1.3.6 - Apache IoTDB 2.0.0 before 2.0.7 Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.6, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.6 and 2.0.7, which fixes the issue. Credit: Yan Nan (Detecon Security Lab) (finder) References: https://iotdb.apache.org https://www.cve.org/CVERecord?id=CVE-2025-64152 _____________________________________________________________________ CVE-2025-55017: Apache IoTDB: Path Traversal Vulnerability Severity: low Affected versions: - Apache IoTDB 2.0.0 before 2.0.6 - Apache IoTDB 1.0.0 before 1.3.6 Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 2.0.0 before 2.0.6, from 1.0.0 before 1.3.6. Users are recommended to upgrade to version 1.3.6 and 2.0.6, which fixes the issue. Credit: qx (finder) References: https://iotdb.apache.org https://www.cve.org/CVERecord?id=CVE-2025-55017 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================