CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12105
https://notcve.org/view.php?id=CVE-2019-12105
In Supervisor through 4.0.2, an unauthenticated user can read log files or restart a service. Note: The maintainer responded that the affected component, inet_http_server, is not enabled by default but if the user enables it and does not set a password, Supervisor logs a warning message. The maintainer indicated the ability to run an open server will not be removed but an additional warning was added to the documentation ** EN DISPUTA ** En Supervisor hasta la versión 4.0.2, un usuario no autenticado puede leer archivos de registro o reiniciar un servicio. Nota: El responsable de mantenimiento respondió que el componente afectado, inet_http_server, no está habilitado de manera predeterminada, pero si el usuario lo habilita y no establece una contraseña, Supervisor registra un mensaje de advertencia. El responsable de mantenimiento indicó que la capacidad de ejecutar un servidor abierto no se eliminará, pero se agregó una advertencia adicional a la documentación. • http://supervisord.org/configuration.html#inet-http-server-section-settings https://github.com/Supervisor/supervisor/commit/4e334d9cf2a1daff685893e35e72398437df3dcb https://github.com/Supervisor/supervisor/issues/1245 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.0EPSS: 97%CPEs: 18EXPL: 4CVE-2017-11610 – Supervisor 3.0a1 < 3.3.2 - XML-RPC (Authenticated) Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-11610
The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups. El servidor XML-RPC en supervisor en versiones anteriores a la 3.0.1, 3.1.x en versiones anteriores a la 3.1.4, 3.2.x en versiones anteriores a la 3.2.4, y 3.3.x en versiones anteriores a la 3.3.3 permite que atacantes remotos autenticados ejecuten comandos arbitrarios mediante una petición XML-RPC, relacionada con búsquedas de espacio de nombres supervisor anidados. A vulnerability was found in the XML-RPC interface in supervisord. When processing malformed commands, an attacker can cause arbitrary shell commands to be executed on the server as the same user as supervisord. Exploitation requires the attacker to first be authenticated to the supervisord service. • https://www.exploit-db.com/exploits/42779 https://github.com/yaunsky/CVE-2017-11610 https://github.com/ivanitlearning/CVE-2017-11610 http://www.debian.org/security/2017/dsa-3942 https://access.redhat.com/errata/RHSA-2017:3005 https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt https://github.com/Supervisor/supervisor/blob/3.3. • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-276: Incorrect Default Permissions •