cbcvebase.
CVE-2013-5093
published 2013-09-27

CVE-2013-5093: The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote…

PriorityP263medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
38.67%
98.4th percentile
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.

Affected

7 ranges
VendorProductVersion rangeFixed in
debiangraphite-web< graphite-web 0.9.12+debian-1 (bookworm)graphite-web 0.9.12+debian-1 (bookworm)
graphite_projectgraphite
graphite_projectgraphite
graphite_projectgraphite
graphite_projectgraphite
graphite_projectgraphite
graphite_projectgraphite

Detection & IOCsextracted from sources · hover to see the quote

url/render/local
commandline\ncposix\nsystem\np1\n(S'<payload>'\np2\ntp3\nRp4\n.
pathrender/views.py
  • Detect HTTP POST requests to the /render/local endpoint; a 500 response indicates the target is likely vulnerable (as used by the Metasploit check method).
  • Inspect POST body to /render/local for pickle opcode patterns: presence of 'cposix\nsystem' or 'cp1\n' style pickle streams indicates exploitation of unsafe pickle deserialization.
  • The vulnerable function is renderLocalView in render/views.py; monitor for unexpected process spawning (e.g., shell commands) originating from the graphite-web process.
  • No authentication or validation between servers exists, meaning the exploit is reachable by unauthenticated remote users; alert on unauthenticated POST to /render/local from external IPs.
  • ·The vulnerable endpoint /render/local is part of Graphite's clustering feature introduced in 0.9.5; deployments not using clustering may still expose this endpoint if not explicitly restricted.
  • ·Affected versions are 0.9.5 through 0.9.10 inclusive; the fix was introduced in 0.9.11/0.9.12. Confirm installed version before applying detection rules.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa6.8MEDIUM
osv6.8MEDIUM
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.