mailing list archives
graphite CVE-2013-5903 confusion
From: Seth Arnold <seth.arnold () canonical com>
Date: Tue, 24 Sep 2013 15:34:20 -0700
Hello, I'm looking at CVE-2013-5903 from graphite and I believe there has
been a problem in how it has been applied.
The description from NVD and OSVDB says the vulnerability is cross-site
Cross-site scripting (XSS) vulnerability in Graphite before 0.9.11
allows remote attackers to inject arbitrary web script or HTML via
Graphite contains a flaw that allows a remote cross-site scripting
(XSS) attack. This flaw exists because the application does not
validate certain unspecified input before returning it to the user.
This may allow an attacker to create a specially crafted request
that would execute arbitrary script code in a user's browser within
the trust relationship between their browser and the server.
However, the checkins from the project appear to use this CVE for unsafe
use of Python's pickle module:
This release contains several security fixes for cross-site scripting
(XSS) as well as a fix for a remote-execution exploit in graphite-web
Fix insecure deserialization of pickled objects (CVE-2013-5093)
MITRE, please advise.
Description: Digital signature
- graphite CVE-2013-5903 confusion Seth Arnold (Sep 24)