CVE-2017-11610

Published: 23 August 2017

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
supervisor
Launchpad, Ubuntu, Debian
Upstream
Released (3.3.1-1.1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(3.3.1-1.1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (3.2.0-2ubuntu0.2)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (3.0b2-1ubuntu0.1)
Patches:
Other: https://github.com/Supervisor/supervisor/commit/058f46141e346b18dee0497ba11203cb81ecb19e
Other: https://github.com/Supervisor/supervisor/commit/aac3c21893cab7361f5c35c8e20341b298f6462e
Other: https://github.com/Supervisor/supervisor/commit/dbe0f55871a122eac75760aef511efc3a8830b88
Other: https://github.com/Supervisor/supervisor/commit/83060f3383ebd26add094398174f1de34cf7b7f0