CVE-2023-36812

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-36812

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-36812.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-36812

Aliases

GHSA-76f7-9v52-v2fw

Published

2023-06-30T23:15:10Z

Modified

2024-05-15T01:17:05.778024Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. This issue has been patched in commit 07c4641471c and further refined in commit fa88d3e4b. These patches are available in the 2.4.2 release. Users are advised to upgrade. User unable to upgrade may disable Gunuplot via the config optiontsd.core.enable_ui = true and remove the shell files mygnuplot.bat and mygnuplot.sh.

References

Affected packages

Git / github.com/opentsdb/opentsdb

Affected ranges

Type: GIT
Repo: https://github.com/opentsdb/opentsdb
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

07c4641471c6f5c2ab5aab615969e97211eb50d9

Fixed

fa88d3e4b5369f9fb73da384fab0b23e246309ba

Affected versions

2.*

2.1.1

v1.*

v1.0.0

v1.1.0

v2.*

v2.0.0

v2.0.0RC1

v2.0.0RC2

v2.0.0RC3

v2.0.1

v2.1.0

v2.1.0RC1

v2.1.0RC2

v2.1.2

v2.1.3

v2.1.4

v2.2.0

v2.2.0RC1

v2.2.0RC2

v2.2.0RC3

v2.2.1

v2.2.2

v2.3.0

v2.3.0RC1

v2.3.0RC2

v2.3.1

v2.3.2

v2.4.0

v2.4.0RC2

v2.4.1