MidnightBSD

Advisories for supervisord

CVE-2017-11610 HIGH

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-276,

Products Affected

Vendor Product Version
supervisord supervisor 3.3.0
supervisord supervisor 3.1.1
debian debian_linux 8.0
supervisord supervisor 3.3.2
fedoraproject fedora 26
supervisord supervisor 3.1.3
debian debian_linux 9.0
supervisord supervisor 3.1.2
supervisord supervisor 3.2.2
supervisord supervisor 3.2.1
fedoraproject fedora 24
redhat cloudforms 4.5
supervisord supervisor 3.2.0
supervisord supervisor 3.1.0
fedoraproject fedora 25
supervisord supervisor 3.2.3
supervisord supervisor 3.3.1
supervisord supervisor *
CVE-2019-12105 MEDIUM

In Supervisor through 4.0.2, an unauthenticated user can read log files or restart a service. Note: The maintainer responded that the affected component, inet_http_server, is not enabled by default but if the user enables it and does not set a password, Supervisor logs a warning message. The maintainer indicated the ability to run an open server will not be removed but an additional warning was added to the documentation

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H 3.9 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
supervisord supervisor *