cbcvebase.
CVE-2023-25826
published 2023-05-03

CVE-2023-25826: Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and…

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
35.60%
98.3th percentile
Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.

Affected

1 ranges
VendorProductVersion rangeFixed in
opentsdbopentsdb1.0.0 – 2.4.1

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://packetstormsecurity.com/files/174570/OpenTSDB-2.4.1-Unauthenticated-Command-Injection.html
path/q?
commandmodules/exploits/linux/http/opentsdb_key_cmd_injection.rb
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenTSDB RCE in HTTP Request M1 (CVE-2023-25826)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|q|3f|"; fast_pattern; startswith; content:"start="; distance:0; content:"&m="; content:"|3a|"; distance:0; content:"&o="; content:"&key="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/UR"; content:"&wxh="; content:"&json"; endswith; reference:cve,2023-25826; reference:url,synopsys.com/blogs/software-security/opentsdb.html; reference:url,opentsdb.net/docs/build/html/user_guide/guis/index.html; reference:url,packetstormsecurity.com/files/174570/OpenTSDB-2.4.1-Unauthenticated-Command-Injection.html; classtype:trojan-activity; sid:2052823; rev:1; metadata:affected_product OpenTSDB, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_05_22, cve CVE_2023_25826, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_05_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenTSDB RCE in HTTP Request M2 (CVE-2023-25826)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|q|3f|"; fast_pattern; startswith; content:"start="; distance:0; content:"&m="; content:"|3a|"; distance:0; content:"&o="; content:"&wxh="; content:"&style="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/UR"; content:"&json"; endswith; reference:cve,2023-25826; reference:url,synopsys.com/blogs/software-security/opentsdb.html; reference:url,opentsdb.net/docs/build/html/user_guide/guis/index.html; reference:url,packetstormsecurity.com/files/174570/OpenTSDB-2.4.1-Unauthenticated-Command-Injection.html; classtype:trojan-activity; sid:2052824; rev:1; metadata:affected_product OpenTSDB, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_05_22, cve CVE_2023_25826, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_05_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenTSDB RCE in HTTP Request M3 (CVE-2023-25826)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|q|3f|"; fast_pattern; startswith; content:"start="; distance:0; content:"&m="; content:"|3a|"; distance:0; content:"&o="; content:"&wxh="; content:"&smooth="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/UR"; content:"&json"; endswith; reference:cve,2023-25826; reference:url,synopsys.com/blogs/software-security/opentsdb.html; reference:url,opentsdb.net/docs/build/html/user_guide/guis/index.html; reference:url,packetstormsecurity.com/files/174570/OpenTSDB-2.4.1-Unauthenticated-Command-Injection.html; classtype:trojan-activity; sid:2052825; rev:1; metadata:affected_product OpenTSDB, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_05_22, cve CVE_2023_25826, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_05_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit targets the legacy HTTP query API endpoint `/q?` via GET requests. Look for requests containing `start=`, `&m=`, `&o=`, `&key=`, `&wxh=`, and `&json` parameters in sequence — the `key` parameter carries the injected payload.
  • Injection bypass characters to detect in the vulnerable parameters (`key`, `style`, `smooth`) at the start of their values: semicolon (0x3b), newline (0x0a), ampersand (0x26), backtick (0x60), pipe (0x7c), dollar sign (0x24).
  • Three distinct injection vectors exist in the HTTP query API: the `key=`, `style=`, and `smooth=` parameters. All three Snort rules share the same URI prefix pattern and injection character PCRE, differing only in the injected parameter name.
  • The Metasploit module first queries the OpenTSDB version API, then fetches configured metrics and aggregators before constructing the exploit request — version check traffic to the OpenTSDB API may precede the actual exploit attempt.
  • The exploit achieves RCE as root without authentication. Any successful exploitation of this CVE results in root-level command execution on the OpenTSDB host.
  • This is an incomplete fix bypass of CVE-2020-35476. Regex validation intended to restrict query API input does not work as intended, allowing crafted commands to bypass validation — regex-based WAF rules alone are insufficient.
  • ·Snort rules are tagged `tls_state TLSDecrypt`, meaning they will only fire on TLS-encrypted traffic if TLS inspection/decryption is enabled on the sensor. Deployments without TLS decryption will miss HTTPS-based exploitation.
  • ·Rules are classified with `confidence Medium` — the URI pattern `/q?` with the required parameter sequence may produce false positives on legitimate OpenTSDB graph query traffic.
  • ·The exploit is unauthenticated, so there are no credentials or session tokens to use as additional detection filters.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.