CVE-2013-5942: graphite-web is vulnerable to Remote Code Execution

May 17, 2022 (updated September 20, 2024)

Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to (1) remote_storage.py, (2) storage.py, (3) render/datalib.py, and (4) allow list/views.py, a different vulnerability than CVE-2013-5093.

References

github.com/advisories/GHSA-ch3j-w953-hfcm
github.com/graphite-project/graphite-web
github.com/graphite-project/graphite-web/blob/master/docs/releases/0_9_11.rst
github.com/pypa/advisory-database/tree/main/vulns/graphite-web/PYSEC-2013-34.yaml
nvd.nist.gov/vuln/detail/CVE-2013-5942

Code Behaviors & Features

Detect and mitigate CVE-2013-5942 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →