cbcvebase.
CVE-2023-36812
published 2023-06-30

CVE-2023-36812: OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.30%
96.2th percentile
OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. This issue has been patched in commit `07c4641471c` and further refined in commit `fa88d3e4b`. These patches are available in the `2.4.2` release. Users are advised to upgrade. User unable to upgrade may disable Gunuplot via the config option`tsd.core.enable_ui = true` and remove the shell files `mygnuplot.bat` and `mygnuplot.sh`.

Affected

1 ranges
VendorProductVersion rangeFixed in
opentsdbopentsdb< 2.4.22.4.2

Detection & IOCsextracted from sources · hover to see the quote

pathmygnuplot.bat
pathmygnuplot.sh
url/api/version
otherkey parameter injection via graph plot request
  • Monitor for HTTP requests to OpenTSDB graph/plot endpoints containing shell metacharacters or command injection payloads in the `key` parameter.
  • Detect reconnaissance activity: unauthenticated requests to the OpenTSDB version API endpoint (`/api/version`) followed by graph plot requests — indicative of the Metasploit exploit module's pre-exploitation fingerprinting step.
  • Alert on execution of `mygnuplot.sh` or `mygnuplot.bat` from the OpenTSDB process, especially when spawning unexpected child processes (e.g., shells), as exploitation routes through these wrapper scripts.
  • Flag unauthenticated graph plot requests that include metrics and aggregators fetched dynamically — the exploit module randomly selects a metric and aggregator before injecting the payload.
  • Monitor for OpenTSDB processes spawning child processes as root, which may indicate successful RCE exploitation.
  • ·The vulnerability affects OpenTSDB through version 2.4.1; patches are present in commits `07c4641471c` and `fa88d3e4b`, and are included in the 2.4.2 release.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.