graphite-web@0.9.9 vulnerabilities

Enterprise scalable realtime graphing

Direct Vulnerabilities

Known vulnerabilities in the graphite-web package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

graphite-web is a real-time graphing system.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the "Template Name" input at http://localhost/dashboard/.

How to fix Cross-site Scripting (XSS)?

A fix was pushed into the master branch but not yet published.

[0,)
  • M
Cross-site Scripting (XSS)

graphite-web is a real-time graphing system.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the "Absolute Time Range" input at http://localhost/dashboard/.

How to fix Cross-site Scripting (XSS)?

A fix was pushed into the master branch but not yet published.

[0,)
  • M
Cross-site Scripting (XSS)

graphite-web is a real-time graphing system.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the "Relative Time Range" input at http://localhost/dashboard/.

How to fix Cross-site Scripting (XSS)?

A fix was pushed into the master branch but not yet published.

[0,)
  • M
Cross-site Scripting (XSS)

graphite-web is a real-time graphing system.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via setDashboardName.

How to fix Cross-site Scripting (XSS)?

Upgrade graphite-web to version 1.1.8 or higher.

[,1.1.8)
  • H
Server-side Request Forgery (SSRF)

graphite-web is a real-time graphing system.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in send_email in graphite-web/webapp/graphite/composer/views.py. The endpoint can be used by an attacker to have the web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.

How to fix Server-side Request Forgery (SSRF)?

Upgrade graphite-web to version 1.1.6 or higher.

[,1.1.6)
  • M
Arbitrary Code Injection

graphite-web is a Enterprise scalable realtime graphing The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.

[0.9.5,0.9.11)
  • M
Arbitrary Code Injection

graphite-web is a Enterprise scalable realtime graphing Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to (1) remote_storage.py, (2) storage.py, (3) render/datalib.py, and (4) whitelist/views.py, a different vulnerability than CVE-2013-5093.

[0.9.5,0.9.11)
  • M
Cross-site Scripting (XSS)

graphite-web is a Enterprise scalable realtime graphing.

Multiple cross-site scripting (XSS) vulnerabilities in Graphite before 0.9.11 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

[,0.9.11)