CVE-2017-18638
published 2019-10-11CVE-2017-18638: send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an…
PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
16.95%
96.7th percentile
send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | graphite-web | < graphite-web 1.1.4-5 (bookworm) | graphite-web 1.1.4-5 (bookworm) |
| graphite_project | graphite | <= 1.1.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/composer/send_email?to={{rand_text_alpha(4)}}@{{rand_text_alpha(4)}}&url=http://{{interactsh-url}}
- →Monitor HTTP GET requests to the /composer/send_email endpoint with attacker-controlled 'url' parameter pointing to external/internal resources — this is the SSRF trigger point.
- →Detect out-of-band HTTP callbacks (OAST/interactsh) originating from the Graphite web server process, which indicate successful SSRF exploitation via send_email.
- →Alert on Graphite web server making outbound HTTP requests to arbitrary hosts, especially when triggered by the send_email composer view — the SSRF response is encoded into an image and emailed to an attacker-supplied address. ↗
- →Flag requests to /composer/send_email where the 'url' query parameter references internal network addresses (RFC1918, localhost, metadata endpoints) as potential SSRF exploitation attempts. ↗
- ·The nuclei probe uses randomised subdomains via interactsh for out-of-band detection; a matcher on 'interactsh_protocol: http' confirms SSRF but requires an active OOB listener — passive/inline IDS will not see the callback.
- ·Affected versions are Graphite through 1.1.5; Debian fixed the issue in package version 1.1.4-5, so version checks must account for distro-patched packages that may report a lower upstream version number. ↗
- ·Red Hat Ceph Storage 2 & 3 and Red Hat Storage 3 packages are out of support scope or will not be fixed, meaning vulnerable instances may persist in those environments indefinitely. ↗
- ·The Ubuntu USN-6243-1 patch was found to be incomplete; USN-6243-2 was issued to fully remediate the issue — ensure the follow-up update is applied, not just the initial advisory. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Graphite-Web regression
vendor_ubuntu·2023-08-09·CVSS 7.5
[HIGH] Graphite-Web regression
Title: Graphite-Web regression
Summary: USN-6243-1 caused a minor regression in Graphite-Web.
USN-6243-1 fixed vulnerabilities in Graphite-Web. It was discovered that the
applied fix was incomplete. This update fixes the problem.
Original advisory details:
It was discovered that Graphite-Web incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to perform
server-side request forgery and obtain sensitive information. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2017-18638)
It was discovered that Graphite-Web incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote a
Ubuntu
Graphite-Web vulnerabilities
vendor_ubuntu·2023-07-25·CVSS 7.5
CVE-2022-4730 [HIGH] Graphite-Web vulnerabilities
Title: Graphite-Web vulnerabilities
Summary: Several security issues were fixed in Graphite-Web.
It was discovered that Graphite-Web incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to perform
server-side request forgery and obtain sensitive information. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2017-18638)
It was discovered that Graphite-Web incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to perform
cross site scripting and obtain sensitive information. (CVE-2022-4728,
CVE-2022-4729, CVE-2022-4730)
Instruction
Red Hat
graphite-web: graphite.composer.views.send_email vulnerable to SSRF
vendor_redhat·2019-10-12·CVSS 7.5
CVE-2017-18638 [HIGH] CWE-918 graphite-web: graphite.composer.views.send_email vulnerable to SSRF
graphite-web: graphite.composer.views.send_email vulnerable to SSRF
send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
A flaw was found in graphite-web. The send_email in the graphite-web/webapp/graphite/composer/views.py function is vulnerable to a Server-side request forgery (SSRF). This flaw allows an attacker to use the vulnerable SSRF endpoint to have the Graphite web server request any resource. An attacker can exfiltrate any inform
Debian
CVE-2017-18638: graphite-web - send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through...
vendor_debian·2017·CVSS 7.5
CVE-2017-18638 [HIGH] CVE-2017-18638: graphite-web - send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through...
send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
Scope: local
bookworm: resolved (fixed in 1.1.4-5)
forky: resolved (fixed in 1.1.4-5)
sid: resolved (fixed in 1.1.4-5)
trixie: resolved (fixed in 1.1.4-5)
OSV
graphite-web regression
osv·2023-08-09·CVSS 7.5
[HIGH] graphite-web regression
graphite-web regression
USN-6243-1 fixed vulnerabilities in Graphite-Web. It was discovered that the
applied fix was incomplete. This update fixes the problem.
Original advisory details:
It was discovered that Graphite-Web incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to perform
server-side request forgery and obtain sensitive information. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2017-18638)
It was discovered that Graphite-Web incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to perform
cross site scripting a
OSV
graphite-web vulnerabilities
osv·2023-07-25·CVSS 7.5
CVE-2017-18638 [HIGH] graphite-web vulnerabilities
graphite-web vulnerabilities
It was discovered that Graphite-Web incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to perform
server-side request forgery and obtain sensitive information. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2017-18638)
It was discovered that Graphite-Web incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to perform
cross site scripting and obtain sensitive information. (CVE-2022-4728,
CVE-2022-4729, CVE-2022-4730)
GHSA
graphite.composer.views.send_email vulnerable to SSRF
ghsa·2019-10-25
CVE-2017-18638 [HIGH] CWE-918 graphite.composer.views.send_email vulnerable to SSRF
graphite.composer.views.send_email vulnerable to SSRF
### Impact
send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information. Email will be send through SMTP server configured in Graphite, by default it's 'localhost'
### Patches
Problem was patched in Graphite-web 1.1.6. Also patches was released for graphite-web [1.0.x](https://github.com/graphite-project/graphite-web/pull/2501) and [0.9.x](https://github.com/graphite-project/graphite-web/pull/250
OSV
graphite.composer.views.send_email vulnerable to SSRF
osv·2019-10-25
CVE-2017-18638 [HIGH] graphite.composer.views.send_email vulnerable to SSRF
graphite.composer.views.send_email vulnerable to SSRF
### Impact
send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information. Email will be send through SMTP server configured in Graphite, by default it's 'localhost'
### Patches
Problem was patched in Graphite-web 1.1.6. Also patches was released for graphite-web [1.0.x](https://github.com/graphite-project/graphite-web/pull/2501) and [0.9.x](https://github.com/graphite-project/graphite-web/pull/250
OSV
CVE-2017-18638: send_email in graphite-web/webapp/graphite/composer/views
osv·2019-10-11·CVSS 7.5
CVE-2017-18638 [HIGH] CVE-2017-18638: send_email in graphite-web/webapp/graphite/composer/views
send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
No detection rules found.
Exploit-DB
Microsoft Internet Explorer 11 - 'CMarkup::DestroySplayTree' Use-After-Free
exploitdb·2017-05-03
Microsoft Internet Explorer 11 - 'CMarkup::DestroySplayTree' Use-After-Free
Microsoft Internet Explorer 11 - 'CMarkup::DestroySplayTree' Use-After-Free
---
body{
background-color:black;
font-color:red;
};
/********************************
* Exploit Title: Internet Explorer 11 CMarkup::DestroySplayTree Use-After-Free
* Google Dork: n/a
* Date: 03.05.2017
* Exploit Author: Marcin Ressel
* TT: @r_esselm
* Vendor Homepage: www.microsoft.com
* Software Link: n/a
* Version: 11.0.9600.18638
* Tested on: Windows 7
* CVE : n/a
* ****************************
(151c.10a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0cf14bd0 ecx=70062370 edx=00000000 esi=1195cfa0 edi=11abcfa0
eip=706af750 esp=09a5b240 ebp=09a5b3a4 iopl=0 nv up ei
Nuclei
Graphite <=1.1.5 - Server-Side Request Forgery
nuclei·CVSS 7.5
CVE-2017-18638 [HIGH] Graphite <=1.1.5 - Server-Side Request Forgery
Graphite =1.1.6) or apply the necessary security patches.
reference:
- http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
- https://github.com/graphite-project/graphite-web/issues/2008
- https://github.com/advisories/GHSA-vfj6-275q-4pvm
- https://nvd.nist.gov/vuln/detail/CVE-2017-18638
- https://github.com/graphite-project/graphite-web/pull/2499
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2017-18638
cwe-id: CWE-918
epss-score: 0.87481
epss-percentile: 0.99462
cpe: cpe:2.3:a:graphite_project:graphite:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: graphite_project
product: graphite
tags: cve,cve2017,graphite,ssrf,oast,graphite_project,vuln
http:
- method: GET
path:
- '{{BaseURL}}/composer/send_email?to={{rand_te
https://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html#second-bug-internal-graphite-ssrfhttps://github.com/graphite-project/graphite-web/issues/2008https://github.com/graphite-project/graphite-web/pull/2499https://github.com/graphite-project/graphite-web/security/advisories/GHSA-vfj6-275q-4pvmhttps://lists.debian.org/debian-lts-announce/2019/10/msg00030.htmlhttps://www.youtube.com/watch?v=ds4Gp4xoaeAhttps://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html#second-bug-internal-graphite-ssrfhttps://github.com/graphite-project/graphite-web/issues/2008https://github.com/graphite-project/graphite-web/pull/2499https://github.com/graphite-project/graphite-web/security/advisories/GHSA-vfj6-275q-4pvmhttps://lists.debian.org/debian-lts-announce/2019/10/msg00030.htmlhttps://www.youtube.com/watch?v=ds4Gp4xoaeA
2019-10-11
Published