cbcvebase.
CVE-2017-18638
published 2019-10-11

CVE-2017-18638: send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an…

PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
16.95%
96.7th percentile
send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.

Affected

2 ranges
VendorProductVersion rangeFixed in
debiangraphite-web< graphite-web 1.1.4-5 (bookworm)graphite-web 1.1.4-5 (bookworm)
graphite_projectgraphite<= 1.1.5

Detection & IOCsextracted from sources · hover to see the quote

url/composer/send_email?to={{rand_text_alpha(4)}}@{{rand_text_alpha(4)}}&url=http://{{interactsh-url}}
path/composer/send_email
pathgraphite-web/webapp/graphite/composer/views.py
  • Monitor HTTP GET requests to the /composer/send_email endpoint with attacker-controlled 'url' parameter pointing to external/internal resources — this is the SSRF trigger point.
  • Detect out-of-band HTTP callbacks (OAST/interactsh) originating from the Graphite web server process, which indicate successful SSRF exploitation via send_email.
  • Alert on Graphite web server making outbound HTTP requests to arbitrary hosts, especially when triggered by the send_email composer view — the SSRF response is encoded into an image and emailed to an attacker-supplied address.
  • Flag requests to /composer/send_email where the 'url' query parameter references internal network addresses (RFC1918, localhost, metadata endpoints) as potential SSRF exploitation attempts.
  • ·The nuclei probe uses randomised subdomains via interactsh for out-of-band detection; a matcher on 'interactsh_protocol: http' confirms SSRF but requires an active OOB listener — passive/inline IDS will not see the callback.
  • ·Affected versions are Graphite through 1.1.5; Debian fixed the issue in package version 1.1.4-5, so version checks must account for distro-patched packages that may report a lower upstream version number.
  • ·Red Hat Ceph Storage 2 & 3 and Red Hat Storage 3 packages are out of support scope or will not be fixed, meaning vulnerable instances may persist in those environments indefinitely.
  • ·The Ubuntu USN-6243-1 patch was found to be incomplete; USN-6243-2 was issued to fully remediate the issue — ensure the follow-up update is applied, not just the initial advisory.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.