Listen to this Post
How the CVE Works
Apache IoTDB versions 0.10.0 to 1.3.3 and 2.0.1-beta to 2.0.2 suffer from an information disclosure vulnerability in the `OpenIdAuthorizer` component. Sensitive data, including authentication tokens and credentials, may be inadvertently logged in plaintext within system logs. Attackers with access to log files can extract this information, potentially leading to unauthorized access or session hijacking. The flaw arises due to improper sanitization of debug logs in the OpenID/OAuth flow.
DailyCVE Form
Platform: Apache IoTDB
Version: 0.10.0 – 1.3.3, 2.0.1-beta – 2.0.2
Vulnerability: Info Disclosure via Logs
Severity: Moderate
Date: May 14, 2025
What Undercode Say:
Exploitation:
- Log Extraction: Attackers read logs via exposed endpoints or misconfigured permissions.
grep -r "token=" /var/log/iotdb/
2. Session Hijacking: Stolen tokens allow impersonation.
GET /query?token=STOLEN_TOKEN HTTP/1.1 Host: iotdb.example.com
Mitigation:
1. Upgrade Immediately:
For 1.x wget https://iotdb.apache.org/download/1.3.4 For 2.x wget https://iotdb.apache.org/download/2.0.2
2. Log Sanitization: Modify logging configuration (`logback.xml`):
<configuration> <filter class="org.apache.iotdb.logmask.SensitiveDataFilter"/> </configuration>
3. Access Control: Restrict log directory permissions:
chmod 750 /var/log/iotdb/
Detection:
1. Check Version:
SHOW VERSION;
2. Audit Logs:
journalctl -u iotdb --no-pager | grep -i "token|auth"
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
