CVE-2023-25826

[nneufelder]

Hello openTSDB,

Questions for you, has CVE-2023-25826 been addressed or resolved? I can't seem to find any evidence in your repo to suggest the vulnerability was addressed. Additionally, there are several, recent active exploits publicly available for this vulnerability.

Currently the only open CVE advisory listed in the Security tab is CVE-2023-36812. CVE-2023-36812 seems to describe CVE-2023-25826, and both CVEs link to the exact same patch. Are they the same vulnerability?

exploitation tools for CVE-2023-25826:
https://packetstormsecurity.com/files/174570/OpenTSDB-2.4.1-Unauthenticated-Command-Injection.html
https://github.com/ErikWynter/opentsdb_key_cmd_injection

Thank you!,
Nathan

[jkrishnarao2003]

Hi OpenTSDB team, We are working on the fix for CVE-2023-36812 and found too be fixed in 2.4.2. But we don't see this jar available in public Maven repo https://mvnrepository.com/artifact/net.opentsdb/opentsdb. Any update on when 2.4.2 will be available for public use?