-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-25826 #2288
Comments
Hi OpenTSDB team, We are working on the fix for CVE-2023-36812 and found too be fixed in 2.4.2. But we don't see this jar available in public Maven repo https://mvnrepository.com/artifact/net.opentsdb/opentsdb. Any update on when 2.4.2 will be available for public use? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello openTSDB,
Questions for you, has CVE-2023-25826 been addressed or resolved? I can't seem to find any evidence in your repo to suggest the vulnerability was addressed. Additionally, there are several, recent active exploits publicly available for this vulnerability.
Currently the only open CVE advisory listed in the Security tab is CVE-2023-36812. CVE-2023-36812 seems to describe CVE-2023-25826, and both CVEs link to the exact same patch. Are they the same vulnerability?
exploitation tools for CVE-2023-25826:
https://packetstormsecurity.com/files/174570/OpenTSDB-2.4.1-Unauthenticated-Command-Injection.html
https://github.com/ErikWynter/opentsdb_key_cmd_injection
Thank you!,
Nathan
The text was updated successfully, but these errors were encountered: