Red Hat Bugzilla – Bug 1000060
CVE-2013-5093 CVE-2013-5942 CVE-2013-5943 graphite-web: remote code execution flaw due to pickle processing
Last modified: 2013-09-30 03:26:56 EDT
It was reported  that a flaw exists in graphite-web versions 0.9.5 through to 0.9.10, due to the use of the pickle module. The clustering feature of graphite-web was introduced in 0.9.5 to facilitate scaling for a graphite setup, which was achieved by passing pickled data between servers. However, upon receipt of the pickled data, no validation was done to limit the types of objects that are unpickled, which creates a condition where arbitrary code can be executed. Based on the available metasploit module , it does not look as though any kind of authentication or validation between servers exists either, to prevent a remote unauthenticated user from exploiting this flaw.
This flaw has been fixed in 0.9.11 (git commit ).
Created graphite-web tracking bugs for this issue:
Affects: fedora-all [bug 1000062]
Affects: epel-6 [bug 1000064]
This update has been marked as stable.