Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
gentooGentoo FoundationGLSA-201709-06
HistorySep 17, 2017 - 12:00 a.m.

Supervisor: command injection vulnerability

2017-09-1700:00:00
Gentoo Foundation
security.gentoo.org
42

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

JSON

Background

Supervisor is a client/server system that allows its users to monitor and control a number of processes on UNIX-like operating systems.

Description

A vulnerability in Supervisor was discovered in which an authenticated client could send malicious XML-RPC requests and supervidord will run them as shell commands with process privileges. In some cases, supervisord is configured with root permissions.

Impact

A remote attacker could execute arbitrary code with the privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All Supervisor users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "=app-admin/supervisor-3.1.4"
OSVersionArchitecturePackageVersionFilename
Gentooanyallapp-admin/supervisor< 3.1.4UNKNOWN

Related

prion 1
seebug 1
osv 5
veracode 2
fedora 3
cve 1
openvas 6
packetstorm 1
nessus 7
debian 3
github 1
debiancve 1
freebsd 1
mageia 1
nuclei 1
zdt 1
redhatcve 1
ubuntucve 1
attackerkb 1
alpinelinux 1
metasploit 1
exploitdb 1
redhat 1
myhack58 1
threatpost 1
prion
prion
Cross site request forgery (csrf)
2017-08-23 14:29:00
seebug
seebug
Supervisor Authenticated Remote Code Execution(CVE-2017-11610)
2017-07-27 00:00:00
osv
osv
supervisor - security update
2017-07-31 00:00:00
PYSEC-2017-41
2017-08-23 14:29:00
Incorrect Default Permissions in Supervisor
2022-05-13 01:42:26
veracode
veracode
Remote Code Execution (RCE)
2019-01-15 09:19:14
Remote Code Execution (RCE)
2017-07-24 22:39:07
fedora
fedora
[SECURITY] Fedora 24 Update: supervisor-3.1.4-1.fc24
2017-08-07 20:18:38
[SECURITY] Fedora 25 Update: supervisor-3.2.4-1.fc25
2017-08-07 21:23:15
[SECURITY] Fedora 26 Update: supervisor-3.3.3-1.fc26
2017-08-07 17:22:19
cve
cve
CVE-2017-11610
2017-08-23 14:29:00
openvas
openvas
Mageia: Security Advisory (MGASA-2017-0263)
2022-01-28 00:00:00
Debian: Security Advisory (DSA-3942-1)
2017-08-12 00:00:00
Debian: Security Advisory (DLA-1047-1)
2018-02-07 00:00:00
packetstorm
packetstorm
Supervisor XML-RPC Authenticated Remote Code Execution
2017-09-25 00:00:00
nessus
nessus
Debian DSA-3942-1 : supervisor - security update
2017-08-14 00:00:00
Fedora 25 : supervisor (2017-85eb9f7a36)
2017-08-09 00:00:00
Fedora 26 : supervisor (2017-307eab89e1)
2017-08-08 00:00:00
debian
debian
[SECURITY] [DSA 3942-1] supervisor security update
2017-08-13 19:45:15
[SECURITY] [DLA 1047-1] supervisor security update
2017-07-31 12:59:48
[SECURITY] [DSA 3942-1] supervisor security update
2017-08-13 19:45:15
github
github
Incorrect Default Permissions in Supervisor
2022-05-13 01:42:26
debiancve
debiancve
CVE-2017-11610
2017-08-23 14:29:00
freebsd
freebsd
Supervisord -- An authenticated client can run arbitrary shell commands via malicious XML-RPC requests
2017-07-24 00:00:00
mageia
mageia
Updated supervisor packages fix security vulnerability
2017-08-13 16:17:41
nuclei
nuclei
XML-RPC Server - Remote Code Execution
2021-11-15 23:27:25
zdt
zdt
Supervisor XML-RPC Authenticated Remote Code Execution Exploit
2017-09-25 00:00:00
redhatcve
redhatcve
CVE-2017-11610
2017-07-28 07:19:44
ubuntucve
ubuntucve
CVE-2017-11610
2017-08-23 00:00:00
attackerkb
attackerkb
CVE-2017-11610
2017-08-23 00:00:00
alpinelinux
alpinelinux
CVE-2017-11610
2017-08-23 14:29:00
metasploit
metasploit
Supervisor XML-RPC Authenticated Remote Code Execution
2017-08-30 02:10:46
exploitdb
exploitdb
Supervisor 3.0a1 &lt; 3.3.2 - XML-RPC (Authenticated) Remote Code Execution (Metasploit)
2017-09-25 00:00:00
redhat
redhat
(RHSA-2017:3005) Important: Red Hat CloudForms security, bug fix, and enhancement update
2017-10-24 00:00:47
myhack58
myhack58
Nexus Repository Manager 3 new vulnerability has been used in mining Trojan spread, users are advised to fix as soon as possible-vulnerability warning-the black bar safety net
2019-03-12 00:00:00
threatpost
threatpost
Golang Cryptomining Worm Offers 15% Speed Boost
2021-08-06 20:41:40

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

JSON
Related for GLSA-201709-06
prion1seebug1osv5veracode2fedora3cve1openvas6packetstorm1nessus7debian3github1debiancve1freebsd1mageia1nuclei1zdt1redhatcve1ubuntucve1attackerkb1alpinelinux1metasploit1exploitdb1redhat1myhack581threatpost1