Impact
Apache IoTDB lacks limits on the time span and aggregation interval in certain query interfaces. An attacker can craft a request with a very large time range and a minimal interval, forcing the DataNode to construct an enormous result set in memory. The massive allocation exhausts the Java heap, leading the process to crash and causing a service interruption for all clients.
Affected Systems
The vulnerability affects Apache IoTDB versions from 1.3.3 up to, but not including, 2.0.8. All deployments of these versions that expose the affected aggregation queries are at risk.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity denial-of-service condition, while the EPSS score of less than 1% suggests the probability of exploitation is low but not negligible. The issue is not listed in the CISA KEV catalog. The likely attack vector over the network to a vulnerable DataNode; based on the description, it is inferred that no special privileges are required. Because the flaw relies only on configurable query parameters, it is straightforward for an external actor to trigger the crash once the vulnerable service is reachable.
OpenCVE Enrichment