PYSEC-2013-3

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/graphite-web/PYSEC-2013-3.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2013-3

Aliases

CVE-2013-5093
GHSA-m923-w2gj-v43g

Published

2013-09-27T10:08:00Z

Modified

2023-11-01T04:45:16.027804Z

Summary

[none]

Details

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.

References

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/graphite_pickle_exec.rb
http://secunia.com/advisories/54556
https://github.com/graphite-project/graphite-web/blob/master/docs/releases/0_9_11.rst
http://ceriksen.com/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/
http://www.securityfocus.com/bid/61894
http://www.osvdb.org/96436
http://www.exploit-db.com/exploits/27752

Affected packages

PyPI / graphite-web

Package

Name: graphite-web; View open source insights on deps.dev
Purl: pkg:pypi/graphite-web

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.9.5

Fixed

0.9.11

Affected versions

0.*

0.9.5

0.9.6

0.9.7b

0.9.7c

0.9.7

0.9.8

0.9.9

0.9.10