Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2017-11610

Опубликовано: 24 июл. 2017
Источник: redhat
CVSS3: 7
EPSS Критический

Описание

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

A vulnerability was found in the XML-RPC interface in supervisord. When processing malformed commands, an attacker can cause arbitrary shell commands to be executed on the server as the same user as supervisord. Exploitation requires the attacker to first be authenticated to the supervisord service.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ceph Storage 1.3supervisorWill not fix
Red Hat Ceph Storage 2supervisorWill not fix
Red Hat Mobile Application Platform 4nagiosNot affected
CloudForms Management Engine 5.8ansible-towerFixedRHSA-2017:300524.10.2017
CloudForms Management Engine 5.8cfmeFixedRHSA-2017:300524.10.2017
CloudForms Management Engine 5.8cfme-applianceFixedRHSA-2017:300524.10.2017
CloudForms Management Engine 5.8cfme-gemsetFixedRHSA-2017:300524.10.2017
CloudForms Management Engine 5.8rabbitmq-serverFixedRHSA-2017:300524.10.2017
CloudForms Management Engine 5.8rh-ruby23-rubygem-nokogiriFixedRHSA-2017:300524.10.2017
CloudForms Management Engine 5.8supervisorFixedRHSA-2017:300524.10.2017

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-77
https://bugzilla.redhat.com/show_bug.cgi?id=1476143supervisor: Command injection via malicious XML-RPC request

EPSS

Процентиль: 100%
0.93788
Критический

7 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2017-11610

CVSS3: 8.8
ubuntu
больше 8 лет назад

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

nvd логотип

CVE-2017-11610

CVSS3: 8.8
nvd
больше 8 лет назад

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

debian логотип

CVE-2017-11610

CVSS3: 8.8
debian
больше 8 лет назад

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2 ...

github логотип

GHSA-x7c8-4x3h-874w

CVSS3: 8.8
github
больше 3 лет назад

Incorrect Default Permissions in Supervisor

fstec логотип

BDU:2017-02043

fstec
больше 8 лет назад

Уязвимость компонента XML-RPC веб-сервера Supervisor и операционных систем Fedora, Debian GNU/Linux , позволяющая нарушителю выполнить произвольные команды

EPSS

Процентиль: 100%
0.93788
Критический

7 High

CVSS3