PT-2017-2784 · Supervisor+1 · Supervisor+1
Calum Hutton
·
Published
2017-08-07
·
Updated
2024-04-08
·
CVE-2017-11610
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Supervisor versions prior to 3.0.1
Supervisor versions 3.1.x prior to 3.1.4
Supervisor versions 3.2.x prior to 3.2.4
Supervisor versions 3.3.x prior to 3.3.3
Description
The XML-RPC server in Supervisor allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups. This issue is also related to inadequate access control in the XML-RPC component of the Supervisor web server.
Recommendations
For versions prior to 3.0.1, update to version 3.0.1 or later.
For versions 3.1.x prior to 3.1.4, update to version 3.1.4 or later.
For versions 3.2.x prior to 3.2.4, update to version 3.2.4 or later.
For versions 3.3.x prior to 3.3.3, update to version 3.3.3 or later.
Exploit
Fix
Improper Access Control
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Supervisor