CVE-2020-35476

Name of the Vulnerable Software and Affected Versions OpenTSDB versions prior to 2.4.1

Description A remote code execution issue occurs due to command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory, which is then executed via the mygnuplot.sh shell script. The attempted prevention of command injections by blocking backticks in tsd/GraphHandler.java is insufficient. This allows a remote attacker to execute arbitrary code.

Recommendations For OpenTSDB versions prior to 2.4.1, update to version 2.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the yrange parameter in the affected API endpoint until a patch is available. Avoid using the yrange parameter in the affected API endpoint until the issue is resolved.