Incorrect Default Permissions

Affecting supervisor package, versions <3.2.0-2ubuntu0.2

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

References

CVSS Score

8.8
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F
CVE
CVE-2017-11610
CWE
CWE-276
Snyk ID
SNYK-UBUNTU1604-SUPERVISOR-274722
Disclosed
23 Aug, 2017
Published
23 Aug, 2017