OpenTSDB yrange RCE (direct check)

critical Nessus Plugin ID 151489


New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote web server contains a time series database application that is affected by a remote code execution vulnerability.


The OpenTSDB application hosted on the remote web server is affected by a remote code execution vulnerability due to a failure to properly sanitize user-supplied input in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the shell script. This allows a remote, unauthenticated attacker to craft a request and execute arbitrary system commands on the remote host.

Note that thorough tests may be required to test some vulnerable installations, like Docker.


Restrict access to the vulnerable application. Contact the vendor to see if an update is available.

See Also

Plugin Details

Severity: Critical

ID: 151489

File Name: opentsdb_yrange_rce.nbin

Version: 1.4

Type: remote

Family: CGI abuses

Published: 7/9/2021

Updated: 10/19/2021

Dependencies: opentsdb_http_detect.nbin

Risk Information

CVSS Score Source: CVE-2020-35476


Risk Factor: Medium

Score: 5.9


Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:POC/RL:OF/RC:C


Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:opentsdb:opentsdb

Required KB Items: installed_sw/OpenTSDB

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 11/18/2020

Reference Information

CVE: CVE-2020-35476