CVE-2022-43766 - Vulnerability Details - OpenCVE

Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Apache	Iotdb

Configuration 1 [-]

OR	cpe:2.3:a:apache:iotdb::::::::
	cpe:2.3:a:apache:iotdb::::::::

No data.

References

Link	Providers
https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn

History

Thu, 08 May 2025 08:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 07 May 2025 14:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-10-26T00:00:00.000Z

Updated: 2025-05-07T13:39:27.151Z

Reserved: 2022-10-26T00:00:00.000Z

Link: CVE-2022-43766

Vulnrichment

Updated: 2024-08-03T13:40:06.448Z

NVD

Status : Modified

Published: 2022-10-26T16:15:11.897

Modified: 2025-05-07T14:15:37.963

Link: CVE-2022-43766

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-43766", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2025-05-07T13:39:27.151Z", "dateReserved": "2022-10-26T00:00:00.000Z", "datePublished": "2022-10-26T00:00:00.000Z"}, "containers": {"cna": {"title": "Apache IoTDB prior to 0.13.3 allows DoS", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-10-26T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it."}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache IoTDB", "versions": [{"version": "unspecified", "lessThanOrEqual": "0.13.2", "status": "affected", "versionType": "custom"}, {"version": "0.12.2", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}]}], "references": [{"url": "https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn"}], "credits": [{"lang": "en", "value": "This issue was discovered by 4ra1n of Chaitin Tech"}], "metrics": [{"other": {"type": "unknown", "content": {"other": "low"}}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": " "}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:40:06.448Z"}, "title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-05-07T13:38:38.720444Z", "id": "CVE-2022-43766", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T13:39:27.151Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:40:06.448Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-43766", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-07T13:38:38.720444Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T13:39:13.307Z"}}], "cna": {"title": "Apache IoTDB prior to 0.13.3 allows DoS", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "value": "This issue was discovered by 4ra1n of Chaitin Tech"}], "metrics": [{"other": {"type": "unknown", "content": {"other": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache IoTDB", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "0.13.2"}, {"status": "affected", "version": "0.12.2", "lessThan": "unspecified", "versionType": "custom"}]}], "references": [{"url": "https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": " "}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-10-26T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-43766", "state": "PUBLISHED", "dateUpdated": "2025-05-07T13:39:27.151Z", "dateReserved": "2022-10-26T00:00:00.000Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2022-10-26T00:00:00.000Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:iotdb:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7B6C6AE-A4C8-4C1E-A0CF-BE51A8D20A94", "versionEndIncluding": "0.12.6", "versionStartIncluding": "0.12.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:iotdb:*:*:*:*:*:*:*:*", "matchCriteriaId": "ABCDF20A-C644-42F2-9BCC-E5903D2796E4", "versionEndIncluding": "0.13.2", "versionStartIncluding": "0.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it."}, {"lang": "es", "value": "Apache IoTDB versiones 0.12.2 a 0.12.6 y 0.13.0 a 0.13.2, son vulnerables a un ataque de Denegaci\u00f3n de Servicio cuando aceptan patrones no confiables para consultas REGEXP con Java versi\u00f3n 8. Los usuarios deben actualizar a versi\u00f3n 0.13.3, que aborda este problema o usar una versi\u00f3n posterior de Java para evitarlo"}], "id": "CVE-2022-43766", "lastModified": "2025-05-07T14:15:37.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-10-26T16:15:11.897", "references": [{"source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}