{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2017-18638","title":"Title"},{"category":"description","text":"send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2017-18638","url":"https://www.suse.com/security/cve/CVE-2017-18638"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1154007 for CVE-2017-18638","url":"https://bugzilla.suse.com/1154007"},{"category":"external","summary":"Advisory link for SUSE-SU-2019:2803-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2019-October/006066.html"}],"title":"SUSE CVE CVE-2017-18638","tracking":{"current_release_date":"2025-04-25T07:30:07Z","generator":{"date":"2023-02-15T04:35:37Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2017-18638","initial_release_date":"2023-02-15T04:35:37Z","revision_history":[{"date":"2023-02-15T04:35:37Z","number":"2","summary":"Current version"},{"date":"2025-01-01T08:12:41Z","number":"3","summary":"Current version"},{"date":"2025-02-18T07:23:11Z","number":"4","summary":"Current version"},{"date":"2025-03-15T12:50:19Z","number":"5","summary":"Current version"},{"date":"2025-04-25T07:30:07Z","number":"6","summary":"Current version"}],"status":"interim","version":"6"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Enterprise Storage 4","product":{"name":"SUSE Enterprise Storage 4","product_id":"SUSE Enterprise Storage 4","product_identification_helper":{"cpe":"cpe:/o:suse:ses:4"}}},{"category":"product_version","name":"graphite-web-0.9.12-5.3.1","product":{"name":"graphite-web-0.9.12-5.3.1","product_id":"graphite-web-0.9.12-5.3.1","product_identification_helper":{"purl":"pkg:rpm/suse/graphite-web@0.9.12-5.3.1?upstream=graphite-web-0.9.12-5.3.1.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"graphite-web-0.9.12-5.3.1 as component of SUSE Enterprise Storage 4","product_id":"SUSE Enterprise Storage 4:graphite-web-0.9.12-5.3.1"},"product_reference":"graphite-web-0.9.12-5.3.1","relates_to_product_reference":"SUSE Enterprise Storage 4"}]},"vulnerabilities":[{"cve":"CVE-2017-18638","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2017-18638"}],"notes":[{"category":"general","text":"send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.","title":"CVE description"}],"product_status":{"recommended":["SUSE Enterprise Storage 4:graphite-web-0.9.12-5.3.1"]},"references":[{"category":"external","summary":"CVE-2017-18638","url":"https://www.suse.com/security/cve/CVE-2017-18638"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1154007 for CVE-2017-18638","url":"https://bugzilla.suse.com/1154007"},{"category":"external","summary":"Advisory link for SUSE-SU-2019:2803-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2019-October/006066.html"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Enterprise Storage 4:graphite-web-0.9.12-5.3.1"]}],"scores":[{"cvss_v3":{"baseScore":5.9,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.0"},"products":["SUSE Enterprise Storage 4:graphite-web-0.9.12-5.3.1"]}],"threats":[{"category":"impact","date":"2019-10-15T08:04:06Z","details":"moderate"}],"title":"CVE-2017-18638"}]}