net.opentsdb:opentsdb 2.4.1 vulnerabilities

Known vulnerabilities in the net.opentsdb:opentsdb package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Arbitrary Code Execution net.opentsdb:opentsdb is a scalable, distributed Time Series Database. Affected versions of this package are vulnerable to Arbitrary Code Execution by writing user-controlled input to the `Gnuplot` configuration file and running `Gnuplot` with the generated configuration. How to fix Arbitrary Code Execution? A fix was pushed into the `master` branch but not yet published.	[0,)
H Cross-site Scripting (XSS) net.opentsdb:opentsdb is a scalable, distributed Time Series Database. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint. Note: This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint. How to fix Cross-site Scripting (XSS)? A fix was pushed into the `master` branch but not yet published.	[0,)
C Command Injection net.opentsdb:opentsdb is a scalable, distributed Time Series Database. Affected versions of this package are vulnerable to Command Injection due to insufficient validation of parameters passed to the legacy HTTP query API. Note: This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation. How to fix Command Injection? A fix was pushed into the `master` branch but not yet published.	[0,)
M Cross-site Scripting (XSS) net.opentsdb:opentsdb is a scalable, distributed Time Series Database. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `json` parameter, in the `/q` endpoint. How to fix Cross-site Scripting (XSS)? There is no fixed version for `net.opentsdb:opentsdb`.	[0,)
M Cross-site Scripting (XSS) net.opentsdb:opentsdb is a scalable, distributed Time Series Database. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `type` parameter, in the `/suggest` endpoint. How to fix Cross-site Scripting (XSS)? There is no fixed version for `net.opentsdb:opentsdb`.	[0,)

Vulnerability

Vulnerable Version

Arbitrary Code Execution

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Arbitrary Code Execution by writing user-controlled input to the Gnuplot configuration file and running Gnuplot with the generated configuration.

How to fix Arbitrary Code Execution?

A fix was pushed into the master branch but not yet published.

[0,)

Cross-site Scripting (XSS)

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint.

Note: This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint.

How to fix Cross-site Scripting (XSS)?

A fix was pushed into the master branch but not yet published.

[0,)

Command Injection

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Command Injection due to insufficient validation of parameters passed to the legacy HTTP query API.

Note: This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.

How to fix Command Injection?

A fix was pushed into the master branch but not yet published.

[0,)

Cross-site Scripting (XSS)

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the json parameter, in the /q endpoint.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for net.opentsdb:opentsdb.

[0,)

Cross-site Scripting (XSS)

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the type parameter, in the /suggest endpoint.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for net.opentsdb:opentsdb.

[0,)

net.opentsdb:opentsdb@2.4.1 vulnerabilities

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?