Opentsdb
CVE-2023-36812
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. This issue has been patched in commit 07c4641471c and further refined in commit fa88d3e4b. These patches are available in the 2.4.2 release. Users are advised to upgrade. User unable to upgrade may disable Gunuplot via the config optiontsd.core.enable_ui = true and remove the shell files mygnuplot.bat and mygnuplot.sh.
AnalysisAI
OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-74. OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. This issue has been patched in commit 07c4641471c and further refined in commit fa88d3e4b. These patches are available in the 2.4.2 release. Users are advised to upgrade. User unable to upgrade may disable Gunuplot via the config optiontsd.core.enable_ui = true and remove the shell files mygnuplot.bat and mygnuplot.sh. Affected products include: Opentsdb.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS co
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. Ra
An issue was discovered in OpenTSDB 2.3.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitabl
Due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging en
An issue was discovered in OpenTSDB 2.3.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable,
An issue was discovered in OpenTSDB 2.3.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable,
Share
External POC / Exploit Code
Leaving vuln.today