[3.5] supervisor: Command injection via malicious XML-RPC request (CVE-2017-11610)
A vulnerability has been found where an authenticated client can send a
malicious XML-RPC request to supervisord
that will run arbitrary shell commands on the server. The commands will
be run as the same user as supervisord.
Depending on how supervisord has been configured, this may be root.
Affected Versions
This vulnerability has existed in all versions of Supervisor since 3.0a1 (released in 2007).
Fixed in:
Supervisor 3.3.3, Supervisor 3.2.4, Superivsor 3.1.4
References:
https://github.com/Supervisor/supervisor/issues/964
(from redmine: issue id 7687, created on 2017-08-15, closed on 2017-08-17)
- Relations:
- parent #7684 (closed)
- Changesets:
- Revision 7e6e557e by Francesco Colista on 2017-08-17T07:47:53Z:
main/supervisor: security upgrade to 3.2.4 (CVE-2017-11610). Fixes #7687