[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: graphite CVE-2013-5903 confusion
From: cve-assign () mitre ! org
Date: 2013-09-27 12:56:54
Message-ID: 201309271257.r8RCusBJ010451 () linus ! mitre ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>However, the checkins from the project appear to use this CVE for unsafe
>use of Python's pickle module:
>
>https://github.com/graphite-project/graphite-web/blob/master/docs/releases/0_9_11.rst
>
> This release contains several security fixes for cross-site scripting
> (XSS) as well as a fix for a remote-execution exploit in graphite-web
> (CVE-2013-5903).
This use of CVE-2013-5903 is a typo. The original CVE for this
disclosure was correctly entered by the researcher at:
http://ceriksen.com/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/
(Also, the original CVE was not intended to be an XSS CVE.)
The correct assignments are:
CVE-2013-5093: unsafe use of Python's pickle module in render/views.py
CVE-2013-5942: unsafe use of Python's pickle module in other 0.9.10
files that were not mentioned in the ceriksen.com post
CVE-2013-5943: XSS, as reported in 0_9_11.rst
CVE-2013-5903: a rejected CVE - a use of this CVE could conceivably mean
any of CVE-2013-5093, CVE-2013-5942, or CVE-2013-5943
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
iQEcBAEBAgAGBQJSRX+pAAoJEKllVAevmvmsmmMH/AyhSi9AnNfHpbepIvN5NcfY
V4JEnmNc6J2TA0VORCtRlQl0BKjCptjijPUQMTKIf1/ehdKnPwhrfyRW/kFqh/wk
80uO6inZ/s8pOqb+08A4iLwTB2KDX/nqqJlvtsgv7OSyS1zLHWEmb3bX4o+P/sxC
0/HPPJ5zuVAN+AO3pZHEEgJNsbPVx9voPZ6a7NwFiE0XG5jE5wCvOYtgm7R04yHM
OdVkLDk7nb4OojjvrmSekoTSAv0QZQtALK2mFiYl3gFBFhu/pk9OBqlpMEDoD+ck
uyQ+ltq1KULW8Pm00sTB0ED+J8itQsronVluCKXVA/rbAQvvpfFMnyGVSGueAW4=
=B+3z
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic