Login Sign Up

CVE-2020-35476

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on OpenTSDB servers by injecting malicious code into the yrange parameter. Attackers can achieve full system compromise through command injection. All OpenTSDB installations up to version 2.4.0 are affected.

💻 Affected Systems

Products:
  • OpenTSDB
Versions: All versions through 2.4.0
Operating Systems: Linux, Unix-based systems
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration when graphing features are enabled.

📦 What is this software?

Opentsdb by Opentsdb

View all CVEs affecting Opentsdb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with root privileges, data exfiltration, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to service disruption, data manipulation, and potential cryptocurrency mining or ransomware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation, minimal privileges, and input validation controls in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available, simple HTTP request with crafted yrange parameter can trigger RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.1 and later

Vendor Advisory: https://github.com/OpenTSDB/opentsdb/issues/2051

Restart Required: Yes

Instructions:

1. Backup configuration and data. 2. Download OpenTSDB 2.4.1 or later from official repository. 3. Stop OpenTSDB service. 4. Replace with patched version. 5. Restart OpenTSDB service.

🔧 Temporary Workarounds

Disable Graph Handler

linux

Disable the vulnerable GraphHandler component if graphing features are not required.

Modify tsd.core.plugin_path in opentsdb.conf to exclude GraphHandler

Input Validation Filter

all

Implement web application firewall or proxy to filter malicious yrange parameters.

Configure WAF rules to block requests containing shell metacharacters in yrange parameter

🧯 If You Can't Patch

  • Network segmentation: Isolate OpenTSDB servers from critical systems and internet
  • Implement strict input validation at application layer or reverse proxy

🔍 How to Verify

Check if Vulnerable:

Check if OpenTSDB version is 2.4.0 or earlier and GraphHandler is enabled in configuration.

Check Version:

grep 'version' /path/to/opentsdb/VERSION or check startup logs

Verify Fix Applied:

Verify OpenTSDB version is 2.4.1 or later and test yrange parameter injection attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual gnuplot execution patterns
  • Suspicious commands in /tmp directory
  • HTTP requests with shell metacharacters in yrange parameter

Network Indicators:

  • HTTP POST requests to /q endpoint with unusual yrange values
  • Outbound connections from OpenTSDB to unexpected destinations

SIEM Query:

source="opentsdb" AND (yrange CONTAINS "$" OR yrange CONTAINS "|" OR yrange CONTAINS ";" OR yrange CONTAINS "`")

📊 Metadata

CVE ID: CVE-2020-35476
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: December 16, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35476, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)