net.opentsdb:opentsdb@2.4.0 vulnerabilities

OpenTSDB is a distributed, scalable Time Series Database (TSDB) written on top of HBase. OpenTSDB was written to address a common need: store, index and serve metrics collected from computer systems (network gear, operating systems, applications) at a large scale, and make this data easily accessible and graphable.

Direct Vulnerabilities

Known vulnerabilities in the net.opentsdb:opentsdb package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the json parameter, in the /q endpoint.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for net.opentsdb:opentsdb.

[0,)
  • M
Cross-site Scripting (XSS)

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the type parameter, in the /suggest endpoint.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for net.opentsdb:opentsdb.

[0,)
  • H
Arbitrary Code Execution

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Arbitrary Code Execution. It is possible to bypass the command injection sanitation within /src/tsd/GraphHandler.java and execute arbitrary commands. Payload: [33:system('touch/tmp/poc.txt')]

PoC


http://opentsdbhost.local/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system('touch/tmp/poc.txt')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json

When passing the payload via one of the parameters it is written to a gnuplot file in the /tmp directory and the gnuplot file is executed by OpenTSDB via the /src/mygnuplot.sh shell script. When executed by OpenTSDB mygnuplot.sh the poc.txt file will be written to the temp directory.

How to fix Arbitrary Code Execution?

Upgrade net.opentsdb:opentsdb to version 2.4.1 or higher.

[0,2.4.1)