CVE-2023-36812

Name of the Vulnerable Software and Affected Versions OpenTSDB versions prior to 2.4.2

Description OpenTSDB is vulnerable to Remote Code Execution by writing user-controlled input to the Gnuplot configuration file and running Gnuplot with the generated configuration. The issue has been patched in commits 07c4641471c and fa88d3e4b, which are available in the 2.4.2 release.

Recommendations For versions prior to 2.4.2, upgrade to version 2.4.2 to resolve the issue. As a temporary workaround for users unable to upgrade, disable Gnuplot via the config option tsd.core.enable ui = true and remove the shell files mygnuplot.bat and mygnuplot.sh.