CVE-2017-11610

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

Published: Aug 23, 2017
Updated: Nov 8, 2023
CVE: CVE-2017-11610
GHSA: GHSA-x7c8-4x3h-874w
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9
AV:N/AC:L/Au:S/C:C/I:C/A:C

CWEs:

CWE-276

Affected Software
References

Software	From	Fixed in
supervisord / supervisor	3.1.2	3.1.2.x
supervisord / supervisor	3.3.1	3.3.1.x
supervisord / supervisor	-	3.0.x
supervisord / supervisor	3.2.3	3.2.3.x
supervisord / supervisor	3.2.2	3.2.2.x
supervisord / supervisor	3.2.0	3.2.0.x
supervisord / supervisor	3.2.1	3.2.1.x
supervisord / supervisor	3.3.2	3.3.2.x
supervisord / supervisor	3.1.1	3.1.1.x
supervisord / supervisor	3.1.0	3.1.0.x
supervisord / supervisor	3.3.0	3.3.0.x
supervisord / supervisor	3.1.3	3.1.3.x
fedoraproject / fedora	26	26.x
fedoraproject / fedora	25	25.x
fedoraproject / fedora	24	24.x
debian / debian_linux	8.0	8.0.x
debian / debian_linux	9.0	9.0.x
redhat / cloudforms	4.5	4.5.x
supervisor	-	3.0.1
supervisor	3.1.0	3.1.4
supervisor	3.2.0	3.2.4
supervisor	3.3.0	3.3.3

Vulnerability Database

289,697

CVE-2017-11610