CVE-2020-35476

Root

Cause

The vulnerability stems from insufficient input validation in the yrange parameter within GraphHandler.java. The code only blocks backticks (\), but fails to prevent other command injection techniques. As a result, the user-supplied yrange value is written directly to a temporary gnuplot file in /tmp, which is subsequently executed by the mygnuplot.sh` shell script [1][2].

Exploitation

An attacker can exploit this by sending a specially crafted HTTP request to the OpenTSDB web interface or API, without requiring any authentication. The payload is placed in the yrange parameter using gnuplot syntax, such as [33:system('command')]. This bypasses the backtick filter because the command is embedded within brackets and uses the system() function, which gnuplot interprets [2]. The resulting gnuplot file contains the malicious command, and when mygnuplot.sh executes the file, the command runs on the server.

Impact

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary commands on the OpenTSDB host with the privileges of the OpenTSDB process. This can lead to full system compromise, including data exfiltration, installation of malware, or lateral movement within the network.

Mitigation

OpenTSDB version 2.4.0 is the last release; no official patch has been provided. Administrators should restrict network access to the OpenTSDB web interface to trusted hosts only, and consider implementing additional input validation or reverse-proxy filtering to block malicious yrange patterns. Applying host-level firewall rules and running the service with minimal privileges can reduce the blast radius.