CVE-2020-35476: Command Injection
(updated )
A remote code execution vulnerability occurs in OpenTSDB via command injection in the yrange
parameter. The yrange
value is written to a gnuplot file in the /tmp
directory. This file is then executed via the mygnuplot.sh
shell script. (tsd/GraphHandler.java
attempted to prevent command injections by blocking backticks but this is insufficient).
References
Detect and mitigate CVE-2020-35476 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →