Graphite Remote Code Execution Vulnerability Network Vulnerability

Summary

Graphite is prone to a remote code-execution vulnerability.

Impact

Successfully exploiting this issue will allow attackers to execute arbitrary code within the context of the application. Impact Level: Application

Solution

Ask the Vendor for an update.

Insight

In graphite-web 0.9.5, a 'clustering' feature was introduced to allow for scaling for a graphite setup. This was achieved by passing pickles between servers. However due to no explicit safety measures having been implemented to limit the types of objects that can be unpickled, this creates a condition where arbitrary code can be executed

Affected

Graphite versions 0.9.5 through 0.9.10 are vulnerable.

Detection

Try to execute the 'sleep' command by sending a special crafted HTTP request and check how long the response take.

References

http://www.securityfocus.com/bid/61894

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-5093

CVSS	Base Score: 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Apache mod_proxy_ftp Wildcard Characters XSS Vulnerability
Adobe ColdFusion HTTP Response Splitting Vulnerability
@Mail WebMail Email Body HTML Injection Vulnerability
Apache Archiva Multiple Vulnerabilities
Apache Tomcat cal2.jsp Cross Site Scripting Vulnerability

Take action and discover your vulnerabilities