Re: graphite CVE-2013-5903 confusion

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> However, the checkins from the project appear to use this CVE for unsafe
> use of Python's pickle module:
>
> https://github.com/graphite-project/graphite-web/blob/master/docs/releases/0_9_11.rst
>
>    This release contains several security fixes for cross-site scripting
>    (XSS) as well as a fix for a remote-execution exploit in graphite-web
>    (CVE-2013-5903).

This use of CVE-2013-5903 is a typo. The original CVE for this
disclosure was correctly entered by the researcher at:

  http://ceriksen.com/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/

(Also, the original CVE was not intended to be an XSS CVE.)

The correct assignments are:

CVE-2013-5093: unsafe use of Python's pickle module in render/views.py

CVE-2013-5942: unsafe use of Python's pickle module in other 0.9.10
               files that were not mentioned in the ceriksen.com post

CVE-2013-5943: XSS, as reported in 0_9_11.rst

CVE-2013-5903: a rejected CVE - a use of this CVE could conceivably mean
               any of CVE-2013-5093, CVE-2013-5942, or CVE-2013-5943

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSRX+pAAoJEKllVAevmvmsmmMH/AyhSi9AnNfHpbepIvN5NcfY
V4JEnmNc6J2TA0VORCtRlQl0BKjCptjijPUQMTKIf1/ehdKnPwhrfyRW/kFqh/wk
80uO6inZ/s8pOqb+08A4iLwTB2KDX/nqqJlvtsgv7OSyS1zLHWEmb3bX4o+P/sxC
0/HPPJ5zuVAN+AO3pZHEEgJNsbPVx9voPZ6a7NwFiE0XG5jE5wCvOYtgm7R04yHM
OdVkLDk7nb4OojjvrmSekoTSAv0QZQtALK2mFiYl3gFBFhu/pk9OBqlpMEDoD+ck
uyQ+ltq1KULW8Pm00sTB0ED+J8itQsronVluCKXVA/rbAQvvpfFMnyGVSGueAW4=
=B+3z
-----END PGP SIGNATURE-----