CVE-2018-12972

Vulnerability

OpenTSDB versions 2.3.0, 2.2.0, 2.1.4, and earlier are vulnerable to command injection through the /q HTTP endpoint [1][3]. The parameters o, key, style, yrange, and y2range (including their JSON input) do not sanitize user-supplied values, allowing shell metacharacters to be interpreted [1][3].

Exploitation

An attacker with network access to the OpenTSDB HTTP API can craft a malicious request to the /q endpoint [3]. For example, injecting backtick-encapsulated commands into the o parameter (e.g., %60ping%20-c%2010%20127.0.0.1%60) causes the server to execute the arbitrary command [3]. No authentication is required, and the attack does not require user interaction beyond sending the crafted URL [1][3].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands on the OpenTSDB server with the privileges of the OpenTSDB process [1][3]. This can lead to full system compromise, including data exfiltration, installation of malware, or denial of service [3].

Mitigation

The vulnerability is fixed in OpenTSDB version 2.3.1 [3]. Users should upgrade to this release immediately [3]. If unable to patch, network access controls should restrict access to the /q endpoint to trusted hosts only [3].