Aviad Golan

**Name of the Vulnerable Software and Affected Versions** OpenTSDB versions prior to 2.4.1 **Description** A remote code execution issue occurs due to command injection in the `yrange` parameter. The `yrange` value is written to a gnuplot file in the /tmp directory, which is then executed via the mygnuplot.sh shell script. The attempted prevention of command injections by blocking backticks in tsd/GraphHandler.java is insufficient. This allows a remote attacker to execute arbitrary code. **Recommendations** For OpenTSDB versions prior to 2.4.1, update to version 2.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `yrange` parameter in the affected API endpoint until a patch is available. Avoid using the `yrange` parameter in the affected API endpoint until the issue is resolved.