CVE-2013-5093

Graphite <0.9.10 - RCE

Title source: llm

Description

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremoteunix

https://www.exploit-db.com/exploits/27752

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Charlie Eriksen, funkypickle · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/graphite_pickle_exec.rb

View Code ZIP pw:eip

References (7)

[Exploit] http://ceriksen.com/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/

[Vendor Advisory] http://secunia.com/advisories/54556

[Exploit] http://www.exploit-db.com/exploits/27752

[Third Party Advisory, VDB Entry] http://www.osvdb.org/96436

[Exploit] http://www.securityfocus.com/bid/61894

[Exploit, Patch] https://github.com/graphite-project/graphite-web/blob/master/docs/releases/0_9_11.rst

[Exploit] https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/graphite_pickle_exec.rb

Scores

EPSS 0.8361

EPSS Percentile 99.3%

Details

CWE

CWE-94

Status published

Products (7)

graphite_project/graphite 0.9.5

graphite_project/graphite 0.9.6

graphite_project/graphite 0.9.7

graphite_project/graphite 0.9.8

graphite_project/graphite 0.9.9

graphite_project/graphite 0.9.10

pypi/graphite-web 0.9.5 - 0.9.11PyPI

Published Sep 27, 2013

Tracked Since Feb 18, 2026