Published: 16/12/2020 Updated: 03/03/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 791

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

A remote code execution vulnerability occurs in OpenTSDB up to and including 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.)

Vulnerable Product	Search on Vulmon	Subscribe to Product
opentsdb opentsdb

This Metasploit module exploits an unauthenticated command injection vulnerability in the yrange parameter in OpenTSDB through 240 (CVE-2020-35476) in order to achieve unauthenticated remote code execution as the root user The module first attempts to obtain the OpenTSDB version via the api If the version is 240 or lower, the module performs ...

This module exploits an unauthenticated command injection vulnerability in the yrange parameter in OpenTSDB through 240 (CVE-2020-35476) in order to achieve unauthenticated remote code execution as the root user The module first attempts to obtain the OpenTSDB version via the api If the version ...

This module exploits an unauthenticated command injection vulnerability in the yrange parameter in OpenTSDB through 2.4.0 (CVE-2020-35476) in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.0 or lower, the module performs additional checks to obtain the configured metrics and aggregators. It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph. As part of this request, the yrange parameter is set to the payload, which will then be executed by the target if the latter is vulnerable. This module has been successfully tested against OpenTSDB version 2.3.0.

msf > use exploit/linux/http/opentsdb_yrange_cmd_injection
msf exploit(opentsdb_yrange_cmd_injection) > show targets
    ...targets...
msf exploit(opentsdb_yrange_cmd_injection) > set TARGET < target-id >
msf exploit(opentsdb_yrange_cmd_injection) > show options
    ...show and set options...
msf exploit(opentsdb_yrange_cmd_injection) > exploit

A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter.

CVE-2020-35476 A remote code execution vulnerability occurs in OpenTSDB through 240 via command injection in the yrange parameter Not finished and doesn't work Most of the code is there but payload has to be fixed

An exploit for OpenTSDB <= 2.4.1 cmd injection (CVE-2023-36812/CVE-2023-25826) written in Fortran

opentsdb_key_cmd_injection An exploit for OpenTSDB <= 241 cmd injection (CVE-2023-36812/CVE-2023-25826) written in Fortran About This is an exploit for a command injection vulnerability in OpenTSDB verions 241 and prior (CVE-2023-36812/CVE-2023-25826) The exploit is written in modern Fortran and leverages the official Fortran http-client library that was created ear

CWE-78 https://github.com/OpenTSDB/opentsdb/issues/2051 http://packetstormsecurity.com/files/170331/OpenTSDB-2.4.0-Command-Injection.html https://nvd.nist.gov https://github.com/glowbase/CVE-2020-35476 https://packetstormsecurity.com/files/170331/OpenTSDB-2.4.0-Command-Injection.html

CVE-2020-35476

Vulnerability Summary

Vulnerability Trend

Exploits

Metasploit Modules

Github Repositories

References

Vulmon Search

About

Products

Connect