CVE-2013-5093
published 2013-09-27CVE-2013-5093: The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote…
PriorityP263medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
38.67%
98.4th percentile
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | graphite-web | < graphite-web 0.9.12+debian-1 (bookworm) | graphite-web 0.9.12+debian-1 (bookworm) |
| graphite_project | graphite | — | — |
| graphite_project | graphite | — | — |
| graphite_project | graphite | — | — |
| graphite_project | graphite | — | — |
| graphite_project | graphite | — | — |
| graphite_project | graphite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP POST requests to the /render/local endpoint; a 500 response indicates the target is likely vulnerable (as used by the Metasploit check method). ↗
- →Inspect POST body to /render/local for pickle opcode patterns: presence of 'cposix\nsystem' or 'cp1\n' style pickle streams indicates exploitation of unsafe pickle deserialization. ↗
- →The vulnerable function is renderLocalView in render/views.py; monitor for unexpected process spawning (e.g., shell commands) originating from the graphite-web process. ↗
- →No authentication or validation between servers exists, meaning the exploit is reachable by unauthenticated remote users; alert on unauthenticated POST to /render/local from external IPs. ↗
- ·The vulnerable endpoint /render/local is part of Graphite's clustering feature introduced in 0.9.5; deployments not using clustering may still expose this endpoint if not explicitly restricted. ↗
- ·Affected versions are 0.9.5 through 0.9.10 inclusive; the fix was introduced in 0.9.11/0.9.12. Confirm installed version before applying detection rules. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa6.8MEDIUM
osv6.8MEDIUM
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
graphite-web is vulnerable to Remote Code Execution
osv·2022-05-17·CVSS 6.8
CVE-2013-5942 [MEDIUM] graphite-web is vulnerable to Remote Code Execution
graphite-web is vulnerable to Remote Code Execution
Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to (1) remote_storage.py, (2) storage.py, (3) render/datalib.py, and (4) whitelist/views.py, a different vulnerability than CVE-2013-5093.
GHSA
graphite-web is vulnerable to Remote Code Execution via renderLocalView function
ghsa·2022-05-17
CVE-2013-5093 [CRITICAL] CWE-94 graphite-web is vulnerable to Remote Code Execution via renderLocalView function
graphite-web is vulnerable to Remote Code Execution via renderLocalView function
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.
GHSA
graphite-web is vulnerable to Remote Code Execution
ghsa·2022-05-17·CVSS 6.8
CVE-2013-5942 [MEDIUM] CWE-94 graphite-web is vulnerable to Remote Code Execution
graphite-web is vulnerable to Remote Code Execution
Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to (1) remote_storage.py, (2) storage.py, (3) render/datalib.py, and (4) whitelist/views.py, a different vulnerability than CVE-2013-5093.
OSV
graphite-web is vulnerable to Remote Code Execution via renderLocalView function
osv·2022-05-17
CVE-2013-5093 [CRITICAL] graphite-web is vulnerable to Remote Code Execution via renderLocalView function
graphite-web is vulnerable to Remote Code Execution via renderLocalView function
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.
OSV
CVE-2013-5942: Graphite 0
osv·2013-09-27·CVSS 6.8
CVE-2013-5942 [MEDIUM] CVE-2013-5942: Graphite 0
Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to (1) remote_storage.py, (2) storage.py, (3) render/datalib.py, and (4) whitelist/views.py, a different vulnerability than CVE-2013-5093.
OSV
CVE-2013-5093: The renderLocalView function in render/views
osv·2013-09-27·CVSS 6.8
CVE-2013-5093 [MEDIUM] CVE-2013-5093: The renderLocalView function in render/views
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.
Debian
CVE-2013-5942: graphite-web - Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allo...
vendor_debian·2013·CVSS 6.8
CVE-2013-5942 [MEDIUM] CVE-2013-5942: graphite-web - Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allo...
Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to (1) remote_storage.py, (2) storage.py, (3) render/datalib.py, and (4) whitelist/views.py, a different vulnerability than CVE-2013-5093.
Scope: local
bookworm: resolved (fixed in 0.9.12+debian-1)
forky: resolved (fixed in 0.9.12+debian-1)
sid: resolved (fixed in 0.9.12+debian-1)
trixie: resolved (fixed in 0.9.12+debian-1)
Debian
CVE-2013-5093: graphite-web - The renderLocalView function in render/views.py in graphite-web in Graphite 0.9....
vendor_debian·2013·CVSS 6.8
CVE-2013-5093 [MEDIUM] CVE-2013-5093: graphite-web - The renderLocalView function in render/views.py in graphite-web in Graphite 0.9....
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.
Scope: local
bookworm: resolved (fixed in 0.9.12+debian-1)
forky: resolved (fixed in 0.9.12+debian-1)
sid: resolved (fixed in 0.9.12+debian-1)
trixie: resolved (fixed in 0.9.12+debian-1)
No detection rules found.
Exploit-DB
Graphite Web - Unsafe Pickle Handling (Metasploit)
exploitdb·2013-08-21
CVE-2013-5093 Graphite Web - Unsafe Pickle Handling (Metasploit)
Graphite Web - Unsafe Pickle Handling (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Graphite Web Unsafe Pickle Handling',
'Description' => %q{
This module exploits a remote code execution vulnerability in the pickle
handling of the rendering code in the Graphite Web project between version
0.9.5 and 0.9.10(both included).
},
'Author' =>
[
'Charlie Eriksen' # Initial discovery and exploit
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-5093'],
[ 'URL', 'http://ceriksen.com/2013/08/20/graphite-remote-code-execution-vulnerability-advi
Metasploit
Graphite Web Unsafe Pickle Handling
metasploit
Graphite Web Unsafe Pickle Handling
Graphite Web Unsafe Pickle Handling
This module exploits a remote code execution vulnerability in the pickle handling of the rendering code in the Graphite Web project between version 0.9.5 and 0.9.10 (both included).
Bugzilla
CVE-2013-5093 graphite-web: remote code execution flaw due to pickle processing [epel-6]
bugzilla·2013-08-22·CVSS 6.8
CVE-2013-5093 [MEDIUM] CVE-2013-5093 graphite-web: remote code execution flaw due to pickle processing [epel-6]
CVE-2013-5093 graphite-web: remote code execution flaw due to pickle processing [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 trac
Bugzilla
CVE-2013-5093 CVE-2013-5942 CVE-2013-5943 graphite-web: remote code execution flaw due to pickle processing
bugzilla·2013-08-22·CVSS 6.8
CVE-2013-5093 [MEDIUM] CVE-2013-5093 CVE-2013-5942 CVE-2013-5943 graphite-web: remote code execution flaw due to pickle processing
CVE-2013-5093 CVE-2013-5942 CVE-2013-5943 graphite-web: remote code execution flaw due to pickle processing
It was reported [1] that a flaw exists in graphite-web versions 0.9.5 through to 0.9.10, due to the use of the pickle module. The clustering feature of graphite-web was introduced in 0.9.5 to facilitate scaling for a graphite setup, which was achieved by passing pickled data between servers. However, upon receipt of the pickled data, no validation was done to limit the types of objects that are unpickled, which creates a condition where arbitrary code can be executed. Based on the available metasploit module [2], it does not look as though any kind of authentication or validation between servers exists either, to prevent a remote unauthenticated user from exploiting this flaw.
This
Bugzilla
CVE-2013-5093 graphite-web: remote code execution flaw due to pickle processing [fedora-all]
bugzilla·2013-08-22·CVSS 6.8
CVE-2013-5093 [MEDIUM] CVE-2013-5093 graphite-web: remote code execution flaw due to pickle processing [fedora-all]
CVE-2013-5093 graphite-web: remote code execution flaw due to pickle processing [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note:
Greynoiseio
NoiseLetter February 2024
blogs_greynoiseio
NoiseLetter February 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://ceriksen.com/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/http://secunia.com/advisories/54556http://www.exploit-db.com/exploits/27752http://www.osvdb.org/96436http://www.securityfocus.com/bid/61894https://github.com/graphite-project/graphite-web/blob/master/docs/releases/0_9_11.rsthttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/graphite_pickle_exec.rbhttp://ceriksen.com/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/http://secunia.com/advisories/54556http://www.exploit-db.com/exploits/27752http://www.osvdb.org/96436http://www.securityfocus.com/bid/61894https://github.com/graphite-project/graphite-web/blob/master/docs/releases/0_9_11.rsthttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/graphite_pickle_exec.rb
2013-09-27
Published