During our research at Oxeye Security, we found that OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration.

As we don't want to publish zero days on the web without first contacting you, please provide us with a secure email address so we can communicate the description, reproduction steps, and more.

This vulnerability was discovered by Gal Goldshtein and Daniel Abeles.