Executive Summary

Informations
NameCVE-2017-18638First vendor Publication2019-10-11
VendorCveLast vendor Modification2019-10-15

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base ScoreNot DefinedAttack RangeNot Defined
Cvss Impact ScoreNot DefinedAttack ComplexityNot Defined
Cvss Expoit ScoreNot DefinedAuthenticationNot Defined
Calculate full CVSS 2.0 Vectors scores

Detail

send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18638

Sources (Detail)

SourceUrl
MISC https://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html#second...
https://github.com/graphite-project/graphite-web/issues/2008
https://github.com/graphite-project/graphite-web/pull/2499
https://github.com/graphite-project/graphite-web/security/advisories/GHSA-vfj...
https://www.youtube.com/watch?v=ds4Gp4xoaeA

Alert History

If you want to see full details history, please login or register.
0
1
DateInformations
2019-10-15 17:19:38
  • Multiple Updates
2019-10-12 05:20:04
  • First insertion