A remote attacker could exploit this flaw to execute arbitrary commands with root permissions via the API endpoint.
CVE-2019-5404 An issue was discovered with Graphite 1.2.0 prior to 1.2.18, where a malformed X-Frame-Options response could be used to cause an XSS attack.
CVE-2019-5403 An issue was discovered with Graphite 1.2.0 prior to 1.2.18, where a malformed X-XSS-Protection response could be used to cause an XSS attack.
CVE-2019-5402 An issue was discovered with Graphite 1.2.0 prior to 1.2.18, where a malformed X-XSS-Protection response could be used to cause an XSS attack.
CVE-2019-5401 An issue was discovered with Graphite 1.2.0 prior to 1.2.18, where a malformed X-XSS-Protection response could be used to cause an XSS attack.
CVE-2019-5400 An issue was discovered with Graphite 1.2.0 prior to 1.2.18, where a malformed X-XSS-Protection response could be used to cause an XSS attack.
CVE-2019-5399 An issue was discovered with Graphite 1.2.0 prior to 1.2.18, where a malformed X
Crash on Triggering certain Graphite API Endpoints
The following Graphite API endpoints are known to crash:
- /graphite/service/storage/request
- /graphite/service/storage/update
- /graphite/service/storage/delete
- /graphite/service/store
- /graphite/service/query
A remote attacker could exploit these crashes to execute arbitrary commands with root permissions via the API endpoint.
Timeline
Published on: 09/09/2022 18:15:00 UTC
Last modified on: 09/15/2022 15:30:00 UTC