CVE-2017-11610
HIGH8.8EPSS 93.8%supervisor - security update
Published: 5/13/2022Modified: 12/3/2025
Also known as:ALPINE-CVE-2017-11610DEBIAN-CVE-2017-11610
Description
The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.
Affected packages (6)
- Alpine/supervisorfrom 0, < 3.2.4-r0
- Debian/supervisorfrom 0, < 3.3.1-1.1
- Debian/supervisorfrom 0, < 3.0a8-1.1+deb7u2
- Debian/supervisorfrom 0, < 3.0r1-1+deb8u1
- PyPI/supervisorfrom 0, < 3.0.1
- PyPI/supervisorfrom 0, < 3.0.1, >= 3.1, < 3.1.4, >= 3.2, < 3.2.4, >= 3.3, < 3.3.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (22)
- ADVISORYhttps://github.com/advisories/GHSA-x7c8-4x3h-874w
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-11610
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2017-11610
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-11610
- WEBhttps://access.redhat.com/errata/RHSA-2017:3005
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/supervisor/PYSEC-2017-41.yaml
- WEBhttps://github.com/Supervisor/supervisor
- WEBhttps://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt
- WEBhttps://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt
- WEBhttps://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt
- WEBhttps://github.com/Supervisor/supervisor/blob/3.3.3/CHANGES.txt
- WEBhttps://github.com/Supervisor/supervisor/issues/964
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/4GMSCGMM477N64Z3BM34RWYBGSLK466B
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/4GMSCGMM477N64Z3BM34RWYBGSLK466B/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ/
- WEBhttps://security.gentoo.org/glsa/201709-06
- WEBhttps://www.exploit-db.com/exploits/42779
- WEBhttps://www.exploit-db.com/exploits/42779/
- WEBhttp://www.debian.org/security/2017/dsa-3942