[3.3] supervisor: Command injection via malicious XML-RPC request (CVE-2017-11610)
A vulnerability has been found where an authenticated client can send a
malicious XML-RPC request to supervisord
that will run arbitrary shell commands on the server. The commands will
be run as the same user as supervisord.
Depending on how supervisord has been configured, this may be root.
Affected Versions
This vulnerability has existed in all versions of Supervisor since 3.0a1 (released in 2007).
Fixed in:
Supervisor 3.3.3, Supervisor 3.2.4, Superivsor 3.1.4
References:
https://github.com/Supervisor/supervisor/issues/964
(from redmine: issue id 7689, created on 2017-08-15, closed on 2017-08-17)
- Relations:
- parent #7684 (closed)
- Changesets:
- Revision 6a21067c by Francesco Colista on 2017-08-17T07:39:47Z:
main/supervisor: security upgrade to 3.1.4 (CVE-2017-11610). Fixes #7689