CVE-2020-35476

CRITICAL EXPLOITED NUCLEI

OpenTSDB 2.4.0 unauthenticated command injection

Title source: metasploit

Description

A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.)

Exploits (2)

nomisec WORKING POC 2 stars

by glowbase · remote

https://github.com/glowbase/CVE-2020-35476

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Shai rod, Erik Wynter · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/opentsdb_yrange_cmd_injection.rb

View Code ZIP pw:eip

Nuclei Templates (1)

OpenTSDB <=2.4.0 - Remote Code Execution

CRITICALVERIFIEDby pikpikcu

Shodan: html:"OpenTSDB" || http.html:"opentsdb"

FOFA: body="opentsdb"

References (2)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/170331/OpenTSDB-2.4.0-Command-Injection.html

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/OpenTSDB/opentsdb/issues/2051

Scores

CVSS v3 9.8

EPSS 0.9425

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-01-21

CWE

CWE-78

Status published

Products (2)

net.opentsdb/opentsdb 0Maven

opentsdb/opentsdb < 2.4.0

Published Dec 16, 2020

Tracked Since Feb 18, 2026