CVE-2017-11610
Published: 23 August 2017
The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.
Priority
Status
Package | Release | Status |
---|---|---|
supervisor Launchpad, Ubuntu, Debian |
upstream |
Released
(3.3.1-1.1)
|
precise |
Does not exist
|
|
trusty |
Released
(3.0b2-1ubuntu0.1)
|
|
xenial |
Released
(3.2.0-2ubuntu0.2)
|
|
zesty |
Released
(3.3.1-1+deb9u1build0.17.04.1)
|
|
artful |
Not vulnerable
(3.3.1-1.1)
|
|
bionic |
Not vulnerable
(3.3.1-1.1)
|
|
Patches: other: https://github.com/Supervisor/supervisor/commit/058f46141e346b18dee0497ba11203cb81ecb19e other: https://github.com/Supervisor/supervisor/commit/aac3c21893cab7361f5c35c8e20341b298f6462e other: https://github.com/Supervisor/supervisor/commit/dbe0f55871a122eac75760aef511efc3a8830b88 other: https://github.com/Supervisor/supervisor/commit/83060f3383ebd26add094398174f1de34cf7b7f0 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |