Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2017-18638

Опубликовано: 11 окт. 2019
Источник: debian
EPSS Критический

Описание

send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
graphite-webfixed1.1.4-5package
graphite-webfixed1.1.4-3+deb10u1busterpackage

Примечания

  • https://github.com/graphite-project/graphite-web/issues/2008

  • https://github.com/graphite-project/graphite-web/pull/2499

  • https://github.com/graphite-project/graphite-web/security/advisories/GHSA-vfj6-275q-4pvm

EPSS

Процентиль: 100%
0.90804
Критический

Связанные уязвимости

ubuntu логотип

CVE-2017-18638

CVSS3: 7.5
ubuntu
больше 6 лет назад

send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.

redhat логотип

CVE-2017-18638

CVSS3: 7.5
redhat
больше 6 лет назад

send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.

nvd логотип

CVE-2017-18638

CVSS3: 7.5
nvd
больше 6 лет назад

send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.

github логотип

GHSA-vfj6-275q-4pvm

CVSS3: 7.5
github
больше 6 лет назад

graphite.composer.views.send_email vulnerable to SSRF

EPSS

Процентиль: 100%
0.90804
Критический