Remote Code Execution for 2.4.1 and earlier
Critical severity
GitHub Reviewed
Published
Jun 30, 2023
in
OpenTSDB/opentsdb
•
Updated Nov 10, 2023
Description
Published to the GitHub Advisory Database
Jun 30, 2023
Reviewed
Jun 30, 2023
Published by the National Vulnerability Database
Jun 30, 2023
Last updated
Nov 10, 2023
Impact
OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration.
Patches
Patched in 07c4641471c6f5c2ab5aab615969e97211eb50d9 and further refined in OpenTSDB/opentsdb@fa88d3e
Workarounds
Disable Gunuplot via
tsd.core.enable_ui = true
and remove the shell files https://github.com/OpenTSDB/opentsdb/blob/master/src/mygnuplot.bat and https://github.com/OpenTSDB/opentsdb/blob/master/src/mygnuplot.sh.References