CVE-2023-25826 : Due to insufficient validation of parameters passed to the legacy HTTP query API

Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.

Published 2023-05-03 19:15:09

Updated 2025-02-13 17:16:11

Source Synopsys

View at NVD, CVE.org

Products affected by CVE-2023-25826

Opentsdb » Opentsdb
Versions from including (>=) 1.0.0 and up to, including, (<=) 2.4.1
cpe:2.3:a:opentsdb:opentsdb:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-25826

EPSS FAQ

83.15%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2023-25826

OpenTSDB 2.4.1 unauthenticated command injection

Disclosure Date: 2023-07-01

First seen: 2023-09-11

exploit/linux/http/opentsdb_key_cmd_injection

This module exploits an unauthenticated command injection vulnerability in the key parameter in OpenTSDB through 2.4.1 (CVE-2023-36812/CVE-2023-25826) in order to achieve unauthenticated remote code execution as the root user. The module first atte

More information

CVSS scores for CVE-2023-25826

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	Synopsys
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-25826

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Assigned by:
- disclosure@synopsys.com (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2023-25826

http://packetstormsecurity.com/files/174570/OpenTSDB-2.4.1-Unauthenticated-Command-Injection.html

OpenTSDB 2.4.1 Unauthenticated Command Injection ≈ Packet Storm

CVEs referencing this url
https://www.synopsys.com/blogs/software-security/opentsdb/

CyRC Vulnerability Advisory: CVE-2023-25826 and CVE-2023-25827 in OpenTSDB | Synopsys
Third Party Advisory

CVEs referencing this url
https://github.com/OpenTSDB/opentsdb/pull/2275

Improved fix for #2261. by manolama · Pull Request #2275 · OpenTSDB/opentsdb · GitHub
Patch

Jump to