Home page logo

oss-sec logo oss-sec mailing list archives

graphite CVE-2013-5903 confusion
From: Seth Arnold <seth.arnold () canonical com>
Date: Tue, 24 Sep 2013 15:34:20 -0700

Hello, I'm looking at CVE-2013-5903 from graphite and I believe there has
been a problem in how it has been applied.

The description from NVD and OSVDB says the vulnerability is cross-site


    Cross-site scripting (XSS) vulnerability in Graphite before 0.9.11
    allows remote attackers to inject arbitrary web script or HTML via
    unspecified vectors.


    Graphite contains a flaw that allows a remote cross-site scripting
    (XSS) attack. This flaw exists because the application does not
    validate certain unspecified input before returning it to the user.
    This may allow an attacker to create a specially crafted request
    that would execute arbitrary script code in a user's browser within
    the trust relationship between their browser and the server.

However, the checkins from the project appear to use this CVE for unsafe
use of Python's pickle module:


    This release contains several security fixes for cross-site scripting
    (XSS) as well as a fix for a remote-execution exploit in graphite-web


    Fix insecure deserialization of pickled objects (CVE-2013-5093)

MITRE, please advise.


Attachment: signature.asc
Description: Digital signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]