CVE-2023-36812

Description

### Impact OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. ### Patches Patched in [07c4641471c6f5c2ab5aab615969e97211eb50d9](https://github.com/OpenTSDB/opentsdb/commit/07c4641471c6f5c2ab5aab615969e97211eb50d9) and further refined in https://github.com/OpenTSDB/opentsdb/commit/fa88d3e4b5369f9fb73da384fab0b23e246309ba ### Workarounds Disable Gunuplot via `tsd.core.enable_ui = true` and remove the shell files https://github.com/OpenTSDB/opentsdb/blob/master/src/mygnuplot.bat and https://github.com/OpenTSDB/opentsdb/blob/master/src/mygnuplot.sh.

How to fix CVE-2023-36812

To remediate CVE-2023-36812, upgrade the affected package to a fixed version below.

• —upgrade to 2.4.2 or later

Is CVE-2023-36812 being exploited?

Likely — EPSS is 84.3%, placing CVE-2023-36812 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

• from 0, < 2.4.2

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-36812
• PATCHgithub.com/OpenTSDB/opentsdb
• WEBpacketstormsecurity.com/files/174570/OpenTSDB-2.4.1-Unauthenticated-Command-Injection.html
• WEBgithub.com/OpenTSDB/opentsdb/commit/07c4641471c6f5c2ab5aab615969e97211eb50d9