Mike Naberezny
2017-07-24 21:07:42 UTC
CVE-2017-11610
A vulnerability has been found where an authenticated client can send a
malicious XML-RPC request to supervisord that will run arbitrary shell
commands on the server. The commands will be run as the same user as
supervisord. Depending on how supervisord has been configured, this may be
root. Supervisor 3.3.3 has been released to fix this vulnerability. The fix
has also been backported to several older versions. All users are advised to
upgrade.
Details:
https://github.com/Supervisor/supervisor/issues/964
A vulnerability has been found where an authenticated client can send a
malicious XML-RPC request to supervisord that will run arbitrary shell
commands on the server. The commands will be run as the same user as
supervisord. Depending on how supervisord has been configured, this may be
root. Supervisor 3.3.3 has been released to fix this vulnerability. The fix
has also been backported to several older versions. All users are advised to
upgrade.
Details:
https://github.com/Supervisor/supervisor/issues/964