OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. This issue has been patched in commit `07c4641471c` and further refined in commit `fa88d3e4b`. These patches are available in the `2.4.2` release. Users are advised to upgrade. User unable to upgrade may disable Gunuplot via the config option`tsd.core.enable_ui = true` and remove the shell files `mygnuplot.bat` and `mygnuplot.sh`.
Published 2023-06-30 23:15:10
Updated 2023-09-08 23:15:11
Source GitHub, Inc.
View at NVD,   CVE.org
Vulnerability category: Execute code

Exploit prediction scoring system (EPSS) score for CVE-2023-36812

1.60%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2023-36812

  • OpenTSDB 2.4.1 unauthenticated command injection
    Disclosure Date: 2023-07-01
    First seen: 2023-09-11
    exploit/linux/http/opentsdb_key_cmd_injection
    This module exploits an unauthenticated command injection vulnerability in the key parameter in OpenTSDB through 2.4.1 (CVE-2023-36812/CVE-2023-25826) in order to achieve unauthenticated remote code execution as the root user. The module first atte

CVSS scores for CVE-2023-36812

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
9.8
CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
NIST
9.8
CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
GitHub, Inc.

CWE ids for CVE-2023-36812

References for CVE-2023-36812

Products affected by CVE-2023-36812

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!