Lucene search

K
cvelistGitHub_MCVELIST:CVE-2023-36812
HistoryJun 30, 2023 - 10:58 p.m.

CVE-2023-36812 Remote Code Execution in OpenTSDB

2023-06-3022:58:33
CWE-74
GitHub_M
www.cve.org
opentsdb
remote code execution
vulnerability
gnuplot
configuration
upgrade
shell files
security
patch

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.9 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

77.0%

OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. This issue has been patched in commit 07c4641471c and further refined in commit fa88d3e4b. These patches are available in the 2.4.2 release. Users are advised to upgrade. User unable to upgrade may disable Gunuplot via the config optiontsd.core.enable_ui = true and remove the shell files mygnuplot.bat and mygnuplot.sh.

CNA Affected

[
  {
    "vendor": "OpenTSDB",
    "product": "opentsdb",
    "versions": [
      {
        "version": "< 2.4.2",
        "status": "affected"
      }
    ]
  }
]

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.9 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

77.0%