net.opentsdb:opentsdb@2.3.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the net.opentsdb:opentsdb package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Arbitrary Code Execution

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Arbitrary Code Execution by writing user-controlled input to the Gnuplot configuration file and running Gnuplot with the generated configuration.

How to fix Arbitrary Code Execution?

A fix was pushed into the master branch but not yet published.

[0,)
  • H
Cross-site Scripting (XSS)

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint.

Note: This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint.

How to fix Cross-site Scripting (XSS)?

A fix was pushed into the master branch but not yet published.

[0,)
  • C
Command Injection

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Command Injection due to insufficient validation of parameters passed to the legacy HTTP query API.

Note: This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.

How to fix Command Injection?

A fix was pushed into the master branch but not yet published.

[0,)
  • M
Cross-site Scripting (XSS)

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the json parameter, in the /q endpoint.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for net.opentsdb:opentsdb.

[0,)
  • M
Cross-site Scripting (XSS)

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the type parameter, in the /suggest endpoint.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for net.opentsdb:opentsdb.

[0,)
  • H
Arbitrary Code Execution

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Arbitrary Code Execution. It is possible to bypass the command injection sanitation within /src/tsd/GraphHandler.java and execute arbitrary commands. Payload: [33:system('touch/tmp/poc.txt')]

PoC


http://opentsdbhost.local/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system('touch/tmp/poc.txt')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json

When passing the payload via one of the parameters it is written to a gnuplot file in the /tmp directory and the gnuplot file is executed by OpenTSDB via the /src/mygnuplot.sh shell script. When executed by OpenTSDB mygnuplot.sh the poc.txt file will be written to the temp directory.

How to fix Arbitrary Code Execution?

Upgrade net.opentsdb:opentsdb to version 2.4.1 or higher.

[0,2.4.1)
  • C
Arbitrary Commend Execution

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Arbitrary Command Execution. An attacker could execute commands by using parameters in the /q URI including o, key, style, yrange and y2range and their JSON input.

How to fix Arbitrary Commend Execution?

Upgrade net.opentsdb:opentsdb to version 2.3.1 or higher.

[,2.3.1)