CVE-2017-11610

Опубликовано: 23 авг. 2017

Источник: nvd

CVSS3: 8.8

CVSS2: 9

EPSS Критический

Описание

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

Ссылки

http://www.debian.org/security/2017/dsa-3942
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3005
Third Party Advisory
https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt
Release Notes
Vendor Advisory
https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt
Release Notes
Vendor Advisory
https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt
Release Notes
Vendor Advisory
https://github.com/Supervisor/supervisor/blob/3.3.3/CHANGES.txt
Release Notes
Vendor Advisory
https://github.com/Supervisor/supervisor/issues/964
Issue Tracking
Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GMSCGMM477N64Z3BM34RWYBGSLK466B/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ/
https://security.gentoo.org/glsa/201709-06
Third Party Advisory
https://www.exploit-db.com/exploits/42779/
Exploit
Third Party Advisory
VDB Entry
http://www.debian.org/security/2017/dsa-3942
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3005
Third Party Advisory
https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt
Release Notes
Vendor Advisory
https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt
Release Notes
Vendor Advisory
https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt
Release Notes
Vendor Advisory
https://github.com/Supervisor/supervisor/blob/3.3.3/CHANGES.txt
Release Notes
Vendor Advisory
https://github.com/Supervisor/supervisor/issues/964
Issue Tracking
Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GMSCGMM477N64Z3BM34RWYBGSLK466B/

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:supervisord:supervisor:*:*:*:*:*:*:*:*

Версия до 3.0 (включая)

cpe:2.3:a:supervisord:supervisor:3.1.0:*:*:*:*:*:*:*

cpe:2.3:a:supervisord:supervisor:3.1.1:*:*:*:*:*:*:*

cpe:2.3:a:supervisord:supervisor:3.1.2:*:*:*:*:*:*:*

cpe:2.3:a:supervisord:supervisor:3.1.3:*:*:*:*:*:*:*

cpe:2.3:a:supervisord:supervisor:3.2.0:*:*:*:*:*:*:*

cpe:2.3:a:supervisord:supervisor:3.2.1:*:*:*:*:*:*:*

cpe:2.3:a:supervisord:supervisor:3.2.2:*:*:*:*:*:*:*

cpe:2.3:a:supervisord:supervisor:3.2.3:*:*:*:*:*:*:*

cpe:2.3:a:supervisord:supervisor:3.3.0:*:*:*:*:*:*:*

cpe:2.3:a:supervisord:supervisor:3.3.1:*:*:*:*:*:*:*

cpe:2.3:a:supervisord:supervisor:3.3.2:*:*:*:*:*:*:*

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:26:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Конфигурация 4

cpe:2.3:a:redhat:cloudforms:4.5:*:*:*:*:*:*:*

EPSS

Процентиль: 100%

0.93788

Критический

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-276

Связанные уязвимости

CVE-2017-11610

CVSS3: 8.8

ubuntu

больше 8 лет назад

CVE-2017-11610

CVSS3: 7

redhat

больше 8 лет назад

CVE-2017-11610

CVSS3: 8.8

debian

больше 8 лет назад

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2 ...

GHSA-x7c8-4x3h-874w

CVSS3: 8.8

github

больше 3 лет назад

Incorrect Default Permissions in Supervisor

BDU:2017-02043

fstec

больше 8 лет назад

Уязвимость компонента XML-RPC веб-сервера Supervisor и операционных систем Fedora, Debian GNU/Linux , позволяющая нарушителю выполнить произвольные команды

EPSS

Процентиль: 100%

0.93788

Критический

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-276