Server-side Request Forgery (SSRF) Affecting graphite-web package, versions [,1.1.6)
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.83% (83rd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-GRAPHITEWEB-472979
- published 13 Oct 2019
- disclosed 11 Oct 2019
- credit Orange Tsai
Introduced: 11 Oct 2019
CVE-2017-18638 Open this link in a new tabHow to fix?
Upgrade graphite-web
to version 1.1.6 or higher.
Overview
graphite-web is a real-time graphing system.
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in send_email
in graphite-web/webapp/graphite/composer/views.py
. The endpoint can be used by an attacker to have the web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
References
CVSS Scores
version 3.1