CVE-2023-36812
published 2023-06-30CVE-2023-36812: OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.30%
96.2th percentile
OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. This issue has been patched in commit `07c4641471c` and further refined in commit `fa88d3e4b`. These patches are available in the `2.4.2` release. Users are advised to upgrade. User unable to upgrade may disable Gunuplot via the config option`tsd.core.enable_ui = true` and remove the shell files `mygnuplot.bat` and `mygnuplot.sh`.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opentsdb | opentsdb | < 2.4.2 | 2.4.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP requests to OpenTSDB graph/plot endpoints containing shell metacharacters or command injection payloads in the `key` parameter. ↗
- →Detect reconnaissance activity: unauthenticated requests to the OpenTSDB version API endpoint (`/api/version`) followed by graph plot requests — indicative of the Metasploit exploit module's pre-exploitation fingerprinting step. ↗
- →Alert on execution of `mygnuplot.sh` or `mygnuplot.bat` from the OpenTSDB process, especially when spawning unexpected child processes (e.g., shells), as exploitation routes through these wrapper scripts. ↗
- →Flag unauthenticated graph plot requests that include metrics and aggregators fetched dynamically — the exploit module randomly selects a metric and aggregator before injecting the payload. ↗
- →Monitor for OpenTSDB processes spawning child processes as root, which may indicate successful RCE exploitation. ↗
- ·The vulnerability affects OpenTSDB through version 2.4.1; patches are present in commits `07c4641471c` and `fa88d3e4b`, and are included in the 2.4.2 release. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Remote Code Execution for 2.4.1 and earlier
osv·2023-06-30
CVE-2023-36812 [CRITICAL] Remote Code Execution for 2.4.1 and earlier
Remote Code Execution for 2.4.1 and earlier
### Impact
OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration.
### Patches
Patched in [07c4641471c6f5c2ab5aab615969e97211eb50d9](https://github.com/OpenTSDB/opentsdb/commit/07c4641471c6f5c2ab5aab615969e97211eb50d9) and further refined in https://github.com/OpenTSDB/opentsdb/commit/fa88d3e4b5369f9fb73da384fab0b23e246309ba
### Workarounds
Disable Gunuplot via `tsd.core.enable_ui = true` and remove the shell files https://github.com/OpenTSDB/opentsdb/blob/master/src/mygnuplot.bat and https://github.com/OpenTSDB/opentsdb/blob/master/src/mygnuplot.sh.
GHSA
Remote Code Execution for 2.4.1 and earlier
ghsa·2023-06-30
CVE-2023-36812 [CRITICAL] CWE-74 Remote Code Execution for 2.4.1 and earlier
Remote Code Execution for 2.4.1 and earlier
### Impact
OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration.
### Patches
Patched in [07c4641471c6f5c2ab5aab615969e97211eb50d9](https://github.com/OpenTSDB/opentsdb/commit/07c4641471c6f5c2ab5aab615969e97211eb50d9) and further refined in https://github.com/OpenTSDB/opentsdb/commit/fa88d3e4b5369f9fb73da384fab0b23e246309ba
### Workarounds
Disable Gunuplot via `tsd.core.enable_ui = true` and remove the shell files https://github.com/OpenTSDB/opentsdb/blob/master/src/mygnuplot.bat and https://github.com/OpenTSDB/opentsdb/blob/master/src/mygnuplot.sh.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/174570/OpenTSDB-2.4.1-Unauthenticated-Command-Injection.htmlhttps://github.com/OpenTSDB/opentsdb/commit/07c4641471c6f5c2ab5aab615969e97211eb50d9https://github.com/OpenTSDB/opentsdb/commit/fa88d3e4b5369f9fb73da384fab0b23e246309bahttps://github.com/OpenTSDB/opentsdb/security/advisories/GHSA-76f7-9v52-v2fwhttp://packetstormsecurity.com/files/174570/OpenTSDB-2.4.1-Unauthenticated-Command-Injection.htmlhttps://github.com/OpenTSDB/opentsdb/commit/07c4641471c6f5c2ab5aab615969e97211eb50d9https://github.com/OpenTSDB/opentsdb/commit/fa88d3e4b5369f9fb73da384fab0b23e246309bahttps://github.com/OpenTSDB/opentsdb/security/advisories/GHSA-76f7-9v52-v2fw
2023-06-30
Published