opentsdb 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk cross-site scripting and vendor risk command injection に関連することが多く、vendor surface software deployment and vendor surface production workloads の文脈で vendor impact session compromise などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2023-36812 | OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. This issue has been patched in commit `07c4641471c` and further refined in commit `fa88d3e4b`. These patches are available in the `2.4.2` release. Users are advised to upgrade. User unable to upgrade may disable Gunuplot via the config option | [email protected] | 9.8 | 84.29% | 2023-06-30 | 2024-11-21 |
| CVE-2023-25827 | Due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint, it is possible to inject and execute malicious JavaScript within the browser of a targeted OpenTSDB user. This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint. | [email protected] | 8.2 | 0.57% | 2023-05-03 | 2024-11-21 |
| CVE-2023-25826 | Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation. | [email protected] | 9.8 | 84.87% | 2023-05-03 | 2025-02-13 |
| CVE-2020-35476 | A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.) | [email protected] | 9.8 | 94.25% | 2020-12-16 | 2024-11-21 |
| CVE-2018-13003 | An issue was discovered in OpenTSDB 2.3.0. There is XSS in parameter 'type' to the /suggest URI. | [email protected] | 6.1 | 0.24% | 2018-06-29 | 2024-11-21 |
| CVE-2018-12973 | An issue was discovered in OpenTSDB 2.3.0. There is XSS in parameter 'json' to the /q URI. | [email protected] | 6.1 | 0.24% | 2018-06-29 | 2024-11-21 |
| CVE-2018-12972 | An issue was discovered in OpenTSDB 2.3.0. Many parameters to the /q URI can execute commands, including o, key, style, and yrange and y2range and their JSON input. | [email protected] | 9.8 | 0.73% | 2018-06-29 | 2024-11-21 |