CVE-2023-36812

CRITICAL

OpenTSDB <2.4.2 - Remote Code Execution via Gnuplot Configuration Injection

Title source: manual

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-36812. PoCs published by ErikWynter, Gal Goldstein, Daniel Abeles, Erik Wynter, including Metasploit module exploits/linux/http/opentsdb_key_cmd_injection.

AI-analyzed exploit summary This repository contains a Fortran-based exploit for CVE-2023-36812, a command injection vulnerability in OpenTSDB <= 2.4.1. The exploit leverages the Fortran http-client library to send malicious payloads to the target, achieving remote code execution.

Description

OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. This issue has been patched in commit `07c4641471c` and further refined in commit `fa88d3e4b`. These patches are available in the `2.4.2` release. Users are advised to upgrade. User unable to upgrade may disable Gunuplot via the config option`tsd.core.enable_ui = true` and remove the shell files `mygnuplot.bat` and `mygnuplot.sh`.

Exploits (2)

nomisec WORKING POC 7 stars

by ErikWynter · poc

https://github.com/ErikWynter/opentsdb_key_cmd_injection

View Code ZIP pw:eip

This repository contains a Fortran-based exploit for CVE-2023-36812, a command injection vulnerability in OpenTSDB <= 2.4.1. The exploit leverages the Fortran http-client library to send malicious payloads to the target, achieving remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenTSDB <= 2.4.1

No auth needed

Prerequisites: Network access to OpenTSDB instance · Listener set up for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Gal Goldstein, Daniel Abeles, Erik Wynter · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/opentsdb_key_cmd_injection.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated command injection vulnerability in OpenTSDB 2.4.1 and earlier via the 'key' parameter, achieving remote code execution as root. It includes version detection, metric/aggregator selection, and payload delivery through crafted HTTP requests.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenTSDB <= 2.4.1

No auth needed

Prerequisites: OpenTSDB instance with configured metrics and aggregators · Network access to the OpenTSDB HTTP API (default port 4242)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/174570/OpenTSDB-2.4.1-Unauthenticated-Command-Injection.html

Patch x_refsource_confirm

https://github.com/OpenTSDB/opentsdb/security/advisories/GHSA-76f7-9v52-v2fw

Patch x_refsource_misc

https://github.com/OpenTSDB/opentsdb/commit/07c4641471c6f5c2ab5aab615969e97211eb50d9

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/OpenTSDB/opentsdb/commit/fa88d3e4b5369f9fb73da384fab0b23e246309ba

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.8429

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-74

Status published

Products (2)

net.opentsdb/opentsdb 0 - 2.4.2Maven

opentsdb/opentsdb < 2.4.2

Published Jun 30, 2023

Tracked Since Feb 18, 2026