What is CVE-2017-18638?

CVE-2017-18638 is a vulnerability in N/a. Published 2019-10-11.

Is CVE-2017-18638 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2017-18638

send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to thi…

EPSS: 0.916 (99.7th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

References

github.com/graphite-project/graphite-web/security/advisories/GHSA-vfj6-275q-4pvm (x_refsource_MISC)
github.com/graphite-project/graphite-web/issues/2008 (x_refsource_MISC)
blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html (x_refsource_MISC)
www.youtube.com/watch (x_refsource_MISC)
github.com/graphite-project/graphite-web/pull/2499 (x_refsource_MISC)
[debian-lts-announce] 20191021 [SECURITY] [DLA 1962-1] graphite-web security update (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2017-18638?: CVE-2017-18638 is a vulnerability in N/a. Published 2019-10-11.
Is CVE-2017-18638 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.