net.opentsdb:opentsdb 2.4.0 vulnerabilities

Known vulnerabilities in the net.opentsdb:opentsdb package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Arbitrary Code Execution net.opentsdb:opentsdb is a scalable, distributed Time Series Database. Affected versions of this package are vulnerable to Arbitrary Code Execution by writing user-controlled input to the `Gnuplot` configuration file and running `Gnuplot` with the generated configuration. How to fix Arbitrary Code Execution? A fix was pushed into the `master` branch but not yet published.	[0,)
H Cross-site Scripting (XSS) net.opentsdb:opentsdb is a scalable, distributed Time Series Database. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint. Note: This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint. How to fix Cross-site Scripting (XSS)? A fix was pushed into the `master` branch but not yet published.	[0,)
C Command Injection net.opentsdb:opentsdb is a scalable, distributed Time Series Database. Affected versions of this package are vulnerable to Command Injection due to insufficient validation of parameters passed to the legacy HTTP query API. Note: This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation. How to fix Command Injection? A fix was pushed into the `master` branch but not yet published.	[0,)
M Cross-site Scripting (XSS) net.opentsdb:opentsdb is a scalable, distributed Time Series Database. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `json` parameter, in the `/q` endpoint. How to fix Cross-site Scripting (XSS)? There is no fixed version for `net.opentsdb:opentsdb`.	[0,)
M Cross-site Scripting (XSS) net.opentsdb:opentsdb is a scalable, distributed Time Series Database. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `type` parameter, in the `/suggest` endpoint. How to fix Cross-site Scripting (XSS)? There is no fixed version for `net.opentsdb:opentsdb`.	[0,)
H Arbitrary Code Execution net.opentsdb:opentsdb is a scalable, distributed Time Series Database. Affected versions of this package are vulnerable to Arbitrary Code Execution. It is possible to bypass the command injection sanitation within `/src/tsd/GraphHandler.java` and execute arbitrary commands. Payload: `[33:system('touch/tmp/poc.txt')]` PoC `http://opentsdbhost.local/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system('touch/tmp/poc.txt')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json` When passing the payload via one of the parameters it is written to a `gnuplot` file in the `/tmp` directory and the `gnuplot` file is executed by `OpenTSDB` via the `/src/mygnuplot.sh` shell script. When executed by OpenTSDB mygnuplot.sh the poc.txt file will be written to the temp directory. How to fix Arbitrary Code Execution? Upgrade `net.opentsdb:opentsdb` to version 2.4.1 or higher.	[0,2.4.1)

Vulnerability

Vulnerable Version

Arbitrary Code Execution

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Arbitrary Code Execution by writing user-controlled input to the Gnuplot configuration file and running Gnuplot with the generated configuration.

How to fix Arbitrary Code Execution?

A fix was pushed into the master branch but not yet published.

[0,)

Cross-site Scripting (XSS)

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint.

Note: This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint.

How to fix Cross-site Scripting (XSS)?

A fix was pushed into the master branch but not yet published.

[0,)

Command Injection

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Command Injection due to insufficient validation of parameters passed to the legacy HTTP query API.

Note: This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.

How to fix Command Injection?

A fix was pushed into the master branch but not yet published.

[0,)

Cross-site Scripting (XSS)

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the json parameter, in the /q endpoint.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for net.opentsdb:opentsdb.

[0,)

Cross-site Scripting (XSS)

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the type parameter, in the /suggest endpoint.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for net.opentsdb:opentsdb.

[0,)

Arbitrary Code Execution

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Arbitrary Code Execution. It is possible to bypass the command injection sanitation within /src/tsd/GraphHandler.java and execute arbitrary commands. Payload: [33:system('touch/tmp/poc.txt')]

PoC


http://opentsdbhost.local/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system('touch/tmp/poc.txt')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json

When passing the payload via one of the parameters it is written to a gnuplot file in the /tmp directory and the gnuplot file is executed by OpenTSDB via the /src/mygnuplot.sh shell script. When executed by OpenTSDB mygnuplot.sh the poc.txt file will be written to the temp directory.

How to fix Arbitrary Code Execution?

Upgrade net.opentsdb:opentsdb to version 2.4.1 or higher.

[0,2.4.1)

net.opentsdb:opentsdb@2.4.0 vulnerabilities

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?

PoC