Home page logo
/

oss-sec logo oss-sec mailing list archives

graphite CVE-2013-5903 confusion
From: Seth Arnold <seth.arnold () canonical com>
Date: Tue, 24 Sep 2013 15:34:20 -0700

Hello, I'm looking at CVE-2013-5903 from graphite and I believe there has
been a problem in how it has been applied.

The description from NVD and OSVDB says the vulnerability is cross-site
scripting:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5903

    Cross-site scripting (XSS) vulnerability in Graphite before 0.9.11
    allows remote attackers to inject arbitrary web script or HTML via
    unspecified vectors.

http://osvdb.org/show/osvdb/97602

    Graphite contains a flaw that allows a remote cross-site scripting
    (XSS) attack. This flaw exists because the application does not
    validate certain unspecified input before returning it to the user.
    This may allow an attacker to create a specially crafted request
    that would execute arbitrary script code in a user's browser within
    the trust relationship between their browser and the server.


However, the checkins from the project appear to use this CVE for unsafe
use of Python's pickle module:

https://github.com/graphite-project/graphite-web/blob/master/docs/releases/0_9_11.rst

    This release contains several security fixes for cross-site scripting
    (XSS) as well as a fix for a remote-execution exploit in graphite-web
    (CVE-2013-5903).

    ...

    Fix insecure deserialization of pickled objects (CVE-2013-5093)


MITRE, please advise.

Thanks

Attachment: signature.asc
Description: Digital signature


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]