net.opentsdb:opentsdb@2.3.0-RC2 vulnerabilities

  • latest version

    2.4.1

  • first published

    9 years ago

  • latest version published

    3 years ago

  • licenses detected

  • package registry

  • Direct Vulnerabilities

    Known vulnerabilities in the net.opentsdb:opentsdb package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Arbitrary Code Execution

    net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

    Affected versions of this package are vulnerable to Arbitrary Code Execution by writing user-controlled input to the Gnuplot configuration file and running Gnuplot with the generated configuration.

    How to fix Arbitrary Code Execution?

    A fix was pushed into the master branch but not yet published.

    [0,)
    • H
    Cross-site Scripting (XSS)

    net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint.

    Note: This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint.

    How to fix Cross-site Scripting (XSS)?

    A fix was pushed into the master branch but not yet published.

    [0,)
    • C
    Command Injection

    net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

    Affected versions of this package are vulnerable to Command Injection due to insufficient validation of parameters passed to the legacy HTTP query API.

    Note: This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.

    How to fix Command Injection?

    A fix was pushed into the master branch but not yet published.

    [0,)
    • M
    Cross-site Scripting (XSS)

    net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the json parameter, in the /q endpoint.

    How to fix Cross-site Scripting (XSS)?

    There is no fixed version for net.opentsdb:opentsdb.

    [0,)
    • M
    Cross-site Scripting (XSS)

    net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the type parameter, in the /suggest endpoint.

    How to fix Cross-site Scripting (XSS)?

    There is no fixed version for net.opentsdb:opentsdb.

    [0,)
    • H
    Arbitrary Code Execution

    net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

    Affected versions of this package are vulnerable to Arbitrary Code Execution. It is possible to bypass the command injection sanitation within /src/tsd/GraphHandler.java and execute arbitrary commands. Payload: [33:system('touch/tmp/poc.txt')]

    PoC

    
    http://opentsdbhost.local/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system('touch/tmp/poc.txt')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json
    

    When passing the payload via one of the parameters it is written to a gnuplot file in the /tmp directory and the gnuplot file is executed by OpenTSDB via the /src/mygnuplot.sh shell script. When executed by OpenTSDB mygnuplot.sh the poc.txt file will be written to the temp directory.

    How to fix Arbitrary Code Execution?

    Upgrade net.opentsdb:opentsdb to version 2.4.1 or higher.

    [0,2.4.1)
    • C
    Arbitrary Commend Execution

    net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

    Affected versions of this package are vulnerable to Arbitrary Command Execution. An attacker could execute commands by using parameters in the /q URI including o, key, style, yrange and y2range and their JSON input.

    How to fix Arbitrary Commend Execution?

    Upgrade net.opentsdb:opentsdb to version 2.3.1 or higher.

    [,2.3.1)