graphite CVE-2013-5903 confusion

[Seth Arnold <seth.arnold () canonical com>]

Hello, I'm looking at CVE-2013-5903 from graphite and I believe there has
been a problem in how it has been applied.

The description from NVD and OSVDB says the vulnerability is cross-site
scripting:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5903

    Cross-site scripting (XSS) vulnerability in Graphite before 0.9.11
    allows remote attackers to inject arbitrary web script or HTML via
    unspecified vectors.

http://osvdb.org/show/osvdb/97602

    Graphite contains a flaw that allows a remote cross-site scripting
    (XSS) attack. This flaw exists because the application does not
    validate certain unspecified input before returning it to the user.
    This may allow an attacker to create a specially crafted request
    that would execute arbitrary script code in a user's browser within
    the trust relationship between their browser and the server.


However, the checkins from the project appear to use this CVE for unsafe
use of Python's pickle module:

https://github.com/graphite-project/graphite-web/blob/master/docs/releases/0_9_11.rst

    This release contains several security fixes for cross-site scripting
    (XSS) as well as a fix for a remote-execution exploit in graphite-web
    (CVE-2013-5903).

    ...

    Fix insecure deserialization of pickled objects (CVE-2013-5093)


MITRE, please advise.

Thanks

Attachment: signature.asc
Description: Digital signature