9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-36812

GHSA ID

GHSA-76f7-9v52-v2fw

EPSS Score

0.9932%

CWE

CWE-74

Published

6/30/2023

Updated

11/10/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-36812

CVE-2023-36812: Remote Code Execution for 2.4.1 and earlier

Impact

OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration.

Patches

Patched in 07c4641471c6f5c2ab5aab615969e97211eb50d9 and further refined in https://github.com/OpenTSDB/opentsdb/commit/fa88d3e4b5369f9fb73da384fab0b23e246309ba

Workarounds

Disable Gunuplot via tsd.core.enable_ui = true and remove the shell files https://github.com/OpenTSDB/opentsdb/blob/master/src/mygnuplot.bat and https://github.com/OpenTSDB/opentsdb/blob/master/src/mygnuplot.sh.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-36812

GHSA ID

GHSA-76f7-9v52-v2fw

EPSS Score

0.9932%

CWE

CWE-74

Published

6/30/2023

Updated

11/10/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
net.opentsdb:opentsdb	maven	<= 2.4.1	2.4.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient input validation in graph parameter handling functions. The pre-patch code in GraphHandler.java processed user-controlled parameters like 'wxh' and 'yrange' using regex checks that failed to prevent newlines/special characters. Attackers could inject Gnuplot commands via these parameters as they were written directly to config files executed by mygnuplot.sh/bat. The commit 07c4641 added validateString() checks to enforce ASCII printables, confirming these functions were the injection vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Op*nTS** is vuln*r**l* to R*mot* *o** *x**ution vuln*r**ility *y writin* us*r-*ontroll** input to *nuplot *on*i*ur*tion *il* *n* runnin* *nuplot wit* t** **n*r*t** *on*i*ur*tion. ### P*t***s P*t**** in [***********************************

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt input v*li**tion in *r*p* p*r*m*t*r **n*lin* *un*tions. T** pr*-p*t** *o** in *r*p***n*l*r.j*v* pro**ss** us*r-*ontroll** p*r*m*t*rs lik* 'wx*' *n* 'yr*n**' usin* r***x ****ks t**t **il** to pr*v*nt n*wlin*s/

9.8

Basic Information

Concerned about an active attack path?

CVE-2023-36812: Remote Code Execution for 2.4.1 and earlier

Impact

Patches

Workarounds

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI