Apache IoTDB versions 0.12.2 through 0.12.6, and 0.13.0 through 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. This issue is patched in 0.13.3. Users should upgrade or use a later version of Java to avoid it.

Affected Packages

Maven org.apache.iotdb:flink-tsfile-connector

Affected versions: 0.12.2 (fixed in 0.13.3)

PyPI apache-iotdb

Affected versions: 0.12.2 (fixed in 0.13.3)

Maven org.apache.iotdb:iotdb-server

Affected versions: 0.12.2 (fixed in 0.13.3)

Maven org.apache.iotdb:tsfile

Affected versions: 0.12.2 (fixed in 0.13.3)

Related CVEs

CVE-2022-43766

Key Information

GHSA ID

GHSA-g6hg-4v3c-6jq7

Published

October 26, 2022 7:00 PM

Last Modified

September 12, 2024 8:28 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.apache.iotdb:flink-tsfile-connector

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.