Server-side Request Forgery (SSRF) Affecting graphite-web package, versions [,1.1.6)


Severity

Recommended
0.0
high
0
10

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.83% (83rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-GRAPHITEWEB-472979
  • published 13 Oct 2019
  • disclosed 11 Oct 2019
  • credit Orange Tsai

How to fix?

Upgrade graphite-web to version 1.1.6 or higher.

Overview

graphite-web is a real-time graphing system.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in send_email in graphite-web/webapp/graphite/composer/views.py. The endpoint can be used by an attacker to have the web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.

CVSS Scores

version 3.1
Expand this section

Snyk

7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

NVD

7.5 high
Expand this section

Red Hat

7.5 high