oss-sec mailing list archives
Re: graphite CVE-2013-5903 confusion
From: cve-assign () mitre org
Date: Fri, 27 Sep 2013 08:56:54 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
However, the checkins from the project appear to use this CVE for unsafe use of Python's pickle module: https://github.com/graphite-project/graphite-web/blob/master/docs/releases/0_9_11.rst This release contains several security fixes for cross-site scripting (XSS) as well as a fix for a remote-execution exploit in graphite-web (CVE-2013-5903).
This use of CVE-2013-5903 is a typo. The original CVE for this disclosure was correctly entered by the researcher at: http://ceriksen.com/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/ (Also, the original CVE was not intended to be an XSS CVE.) The correct assignments are: CVE-2013-5093: unsafe use of Python's pickle module in render/views.py CVE-2013-5942: unsafe use of Python's pickle module in other 0.9.10 files that were not mentioned in the ceriksen.com post CVE-2013-5943: XSS, as reported in 0_9_11.rst CVE-2013-5903: a rejected CVE - a use of this CVE could conceivably mean any of CVE-2013-5093, CVE-2013-5942, or CVE-2013-5943 - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSRX+pAAoJEKllVAevmvmsmmMH/AyhSi9AnNfHpbepIvN5NcfY V4JEnmNc6J2TA0VORCtRlQl0BKjCptjijPUQMTKIf1/ehdKnPwhrfyRW/kFqh/wk 80uO6inZ/s8pOqb+08A4iLwTB2KDX/nqqJlvtsgv7OSyS1zLHWEmb3bX4o+P/sxC 0/HPPJ5zuVAN+AO3pZHEEgJNsbPVx9voPZ6a7NwFiE0XG5jE5wCvOYtgm7R04yHM OdVkLDk7nb4OojjvrmSekoTSAv0QZQtALK2mFiYl3gFBFhu/pk9OBqlpMEDoD+ck uyQ+ltq1KULW8Pm00sTB0ED+J8itQsronVluCKXVA/rbAQvvpfFMnyGVSGueAW4= =B+3z -----END PGP SIGNATURE-----
Current thread:
- graphite CVE-2013-5903 confusion Seth Arnold (Sep 24)
- Re: graphite CVE-2013-5903 confusion cve-assign (Sep 27)