{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for graphite-web","title":"Title of the patch"},{"category":"description","text":"This update for graphite-web fixes the following issues:\n\n- CVE-2017-18638: Fixed an SSRF vulnerability in send_email (bsc#1154007).\n","title":"Description of the patch"},{"category":"details","text":"SUSE-2019-2803,SUSE-Storage-4-2019-2803","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/suse-su-2019_2803-1.json"},{"category":"self","summary":"URL for SUSE-SU-2019:2803-1","url":"https://www.suse.com/support/update/announcement/2019/suse-su-20192803-1/"},{"category":"self","summary":"E-Mail link for SUSE-SU-2019:2803-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2019-October/006066.html"},{"category":"self","summary":"SUSE Bug 1154007","url":"https://bugzilla.suse.com/1154007"},{"category":"self","summary":"SUSE CVE CVE-2017-18638 page","url":"https://www.suse.com/security/cve/CVE-2017-18638/"}],"title":"Security update for graphite-web","tracking":{"current_release_date":"2019-10-29T10:39:34Z","generator":{"date":"2019-10-29T10:39:34Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"SUSE-SU-2019:2803-1","initial_release_date":"2019-10-29T10:39:34Z","revision_history":[{"date":"2019-10-29T10:39:34Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"graphite-web-0.9.12-5.3.1.noarch","product":{"name":"graphite-web-0.9.12-5.3.1.noarch","product_id":"graphite-web-0.9.12-5.3.1.noarch"}}],"category":"architecture","name":"noarch"},{"branches":[{"category":"product_name","name":"SUSE Enterprise Storage 4","product":{"name":"SUSE Enterprise Storage 4","product_id":"SUSE Enterprise Storage 4","product_identification_helper":{"cpe":"cpe:/o:suse:ses:4"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"graphite-web-0.9.12-5.3.1.noarch as component of SUSE Enterprise Storage 4","product_id":"SUSE Enterprise Storage 4:graphite-web-0.9.12-5.3.1.noarch"},"product_reference":"graphite-web-0.9.12-5.3.1.noarch","relates_to_product_reference":"SUSE Enterprise Storage 4"}]},"vulnerabilities":[{"cve":"CVE-2017-18638","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2017-18638"}],"notes":[{"category":"general","text":"send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.","title":"CVE description"}],"product_status":{"recommended":["SUSE Enterprise Storage 4:graphite-web-0.9.12-5.3.1.noarch"]},"references":[{"category":"external","summary":"CVE-2017-18638","url":"https://www.suse.com/security/cve/CVE-2017-18638"},{"category":"external","summary":"SUSE Bug 1154007 for CVE-2017-18638","url":"https://bugzilla.suse.com/1154007"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Enterprise Storage 4:graphite-web-0.9.12-5.3.1.noarch"]}],"scores":[{"cvss_v3":{"baseScore":5.9,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.0"},"products":["SUSE Enterprise Storage 4:graphite-web-0.9.12-5.3.1.noarch"]}],"threats":[{"category":"impact","date":"2019-10-29T10:39:34Z","details":"moderate"}],"title":"CVE-2017-18638"}]}