The Black Duck Cybersecurity Research Center (CyRC) has discovered a remote command execution vulnerability (CVE-2023-25826), and a reflected cross-site scripting (XSS) vulnerability (CVE-2023-25827) in OpenTSDB. OpenTSDB is a distributed time series database (TSDB) working over Apache HBase that is designed for managing, querying, and displaying time-based metrics at a large scale.
CVE-2023-25826: Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.
CVE-2023-25827: Due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint, it is possible to inject and execute malicious JavaScript within the browser of a targeted OpenTSDB user. This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint.
CVE-2023-25826: When supplying requests to the legacy HTTP query API (the ‘/q’ endpoint), crafted system commands can be injected into the ‘key’, ‘style’, and ‘smooth’ parameters that will bypass validation measures. When a request is submitted, parameters are passed to a graph generation shell script where included commands will be executed.
CVE-2023-25827: Malicious URLs can be crafted and supplied to a victim, and they cause request errors for the legacy HTTP query API (the ‘/q’ endpoint) and the logging ‘/logs’ endpoint. Arbitrary JavaScript can be injected into the ‘start’, ‘end’, ‘m’, and ‘key’ parameters of ‘/q’, and the ‘level’ parameter of ‘/logs’. If a victim accesses a crafted URL, included JavaScript will be reflected in the resulting error message and executed within their browser.
Exploitation of CVE-2023-25826 can lead to the injection of arbitrary OS commands that will be executed by the host system within the privileges of the OpenTSDB application.
Exploitation of CVE-2023-25827 can lead to the execution of arbitrary JavaScript within the browser of a targeted user, allowing an attacker to steal sensitive information retained by their browser, such as configured authentication tokens or session cookies.
CVE-2023-25826
CVE-2023-25827
Fixed in the following commits:
These vulnerabilities were discovered by CyRC researcher Jamie Harris.
January 27, 2023: Initial disclosure and confirmation
February 21, 2023: First follow-up
March 8, 2023: Second follow-up
March 29, 2023: Final follow-up
April 11, 2023: OpenTSDB provides fixes
April 12, 2023: Black Duck confirms fixes
May 03, 2023: CVEs published
FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.