Security update for graphite-web SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:2803-1 Final 1 1 2019-10-29T10:39:34Z current 2019-10-29T10:39:34Z 2019-10-29T10:39:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for graphite-web This update for graphite-web fixes the following issues: - CVE-2017-18638: Fixed an SSRF vulnerability in send_email (bsc#1154007). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-2803,SUSE-Storage-4-2019-2803 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20192803-1/ Link for SUSE-SU-2019:2803-1 https://lists.suse.com/pipermail/sle-security-updates/2019-October/006066.html E-Mail link for SUSE-SU-2019:2803-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1154007 SUSE Bug 1154007 https://www.suse.com/security/cve/CVE-2017-18638/ SUSE CVE CVE-2017-18638 page SUSE Enterprise Storage 4 graphite-web-0.9.12-5.3.1 graphite-web-0.9.12-5.3.1 as a component of SUSE Enterprise Storage 4 send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information. CVE-2017-18638 SUSE Enterprise Storage 4:graphite-web-0.9.12-5.3.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192803-1/ https://www.suse.com/security/cve/CVE-2017-18638.html CVE-2017-18638 https://bugzilla.suse.com/1154007 SUSE Bug 1154007