Synopsys Cybersecurity Research Center discovers new RCE vulnerability and cross-site scripting vulnerability in OpenTSDB.
The Synopsys Cybersecurity Research Center (CyRC) has discovered a remote command execution vulnerability (CVE-2023-25826), and a reflected cross-site scripting (XSS) vulnerability (CVE-2023-25827) in OpenTSDB. OpenTSDB is a distributed time series database (TSDB) working over Apache HBase that is designed for managing, querying, and displaying time-based metrics at a large scale.
CVE-2023-25826: Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.
CVE-2023-25826: When supplying requests to the legacy HTTP query API (the ‘/q’ endpoint), crafted system commands can be injected into the ‘key’, ‘style’, and ‘smooth’ parameters that will bypass validation measures. When a request is submitted, parameters are passed to a graph generation shell script where included commands will be executed.
Exploitation of CVE-2023-25826 can lead to the injection of arbitrary OS commands that will be executed by the host system within the privileges of the OpenTSDB application.
Fixed in the following commits:
These vulnerabilities were discovered by CyRC researcher Jamie Harris.
January 27, 2023: Initial disclosure and confirmation
February 21, 2023: First follow-up
March 8, 2023: Second follow-up
March 29, 2023: Final follow-up
April 11, 2023: OpenTSDB provides fixes
April 12, 2023: Synopsys confirms fixes
May 03, 2023: CVEs published
FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.
Jamie Harris is a vulnerability analyst who works in the Black Duck Security Research team. He began his career with Synopsys in 2018 and has been writing security advisories for our Black Duck customers. In his free time he loves gaming, exercising and following everything motorsport.