{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-07-24T00:00:00", "descriptions": [{"lang": "en", "value": "The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-01T21:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "RHSA-2017:3005", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:3005"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Supervisor/supervisor/blob/3.3.3/CHANGES.txt"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt"}, {"name": "FEDORA-2017-307eab89e1", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GMSCGMM477N64Z3BM34RWYBGSLK466B/"}, {"name": "FEDORA-2017-85eb9f7a36", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt"}, {"name": "FEDORA-2017-713430fb15", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ/"}, {"name": "DSA-3942", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-3942"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Supervisor/supervisor/issues/964"}, {"name": "42779", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/42779/"}, {"name": "GLSA-201709-06", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201709-06"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-11610", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2017:3005", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:3005"}, {"name": "https://github.com/Supervisor/supervisor/blob/3.3.3/CHANGES.txt", "refsource": "CONFIRM", "url": "https://github.com/Supervisor/supervisor/blob/3.3.3/CHANGES.txt"}, {"name": "https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt", "refsource": "CONFIRM", "url": "https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt"}, {"name": "https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt", "refsource": "CONFIRM", "url": "https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt"}, {"name": "FEDORA-2017-307eab89e1", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMSCGMM477N64Z3BM34RWYBGSLK466B/"}, {"name": "FEDORA-2017-85eb9f7a36", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM/"}, {"name": "https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt", "refsource": "CONFIRM", "url": "https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt"}, {"name": "FEDORA-2017-713430fb15", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ/"}, {"name": "DSA-3942", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3942"}, {"name": "https://github.com/Supervisor/supervisor/issues/964", "refsource": "CONFIRM", "url": "https://github.com/Supervisor/supervisor/issues/964"}, {"name": "42779", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/42779/"}, {"name": "GLSA-201709-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201709-06"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T18:12:40.456Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2017:3005", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:3005"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Supervisor/supervisor/blob/3.3.3/CHANGES.txt"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt"}, {"name": "FEDORA-2017-307eab89e1", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GMSCGMM477N64Z3BM34RWYBGSLK466B/"}, {"name": "FEDORA-2017-85eb9f7a36", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt"}, {"name": "FEDORA-2017-713430fb15", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ/"}, {"name": "DSA-3942", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2017/dsa-3942"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Supervisor/supervisor/issues/964"}, {"name": "42779", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/42779/"}, {"name": "GLSA-201709-06", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201709-06"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-11610", "datePublished": "2017-08-23T14:00:00", "dateReserved": "2017-07-24T00:00:00", "dateUpdated": "2024-08-05T18:12:40.456Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:supervisord:supervisor:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF8843B0-023D-4D38-B8A6-0082DA076EB0", "versionEndIncluding": "3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:supervisord:supervisor:3.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "8F7331EA-43A4-4B66-A2C8-9F9677CDF199", "vulnerable": true}, {"criteria": "cpe:2.3:a:supervisord:supervisor:3.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "873339F6-2F2F-4FCA-850B-AFBB869FAE49", "vulnerable": true}, {"criteria": "cpe:2.3:a:supervisord:supervisor:3.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "EB8C540A-EFA9-41E3-B80A-B5D1DC002BF3", "vulnerable": true}, {"criteria": "cpe:2.3:a:supervisord:supervisor:3.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "3F9FCD82-05D1-4AE0-B5F4-83C70D34B3C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:supervisord:supervisor:3.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "EEBADED9-ABB4-4D28-916E-71A005781756", "vulnerable": true}, {"criteria": "cpe:2.3:a:supervisord:supervisor:3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "58A70602-4024-4EB4-BC9D-9AA65E3DC3FC", "vulnerable": true}, {"criteria": "cpe:2.3:a:supervisord:supervisor:3.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "164F8D14-DC0E-4F60-B3E9-E4BB7BC859DA", "vulnerable": true}, {"criteria": "cpe:2.3:a:supervisord:supervisor:3.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "FACD9C65-805C-42B8-970F-71086029EC3D", "vulnerable": true}, {"criteria": "cpe:2.3:a:supervisord:supervisor:3.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "73D1DFCA-8289-41C7-A11A-5B5BFA6BA493", "vulnerable": true}, {"criteria": "cpe:2.3:a:supervisord:supervisor:3.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "A9C1E9BA-5D9E-407F-80DE-E3C7886F8FD0", "vulnerable": true}, {"criteria": "cpe:2.3:a:supervisord:supervisor:3.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "4642C276-6F33-4FC8-80FB-512310366D30", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*", "matchCriteriaId": "C729D5D1-ED95-443A-9F53-5D7C2FD9B80C", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*", "matchCriteriaId": "772E9557-A371-4664-AE2D-4135AAEB89AA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:26:*:*:*:*:*:*:*", "matchCriteriaId": "6E4D8269-B407-4C24-AAB0-02F885C7D752", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:cloudforms:4.5:*:*:*:*:*:*:*", "matchCriteriaId": "32E1BA91-4695-4E64-A9D7-4A6CB6904D41", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups."}, {"lang": "es", "value": "El servidor XML-RPC en supervisor en versiones anteriores a la 3.0.1, 3.1.x en versiones anteriores a la 3.1.4, 3.2.x en versiones anteriores a la 3.2.4, y 3.3.x en versiones anteriores a la 3.3.3 permite que atacantes remotos autenticados ejecuten comandos arbitrarios mediante una petici\u00f3n XML-RPC, relacionada con b\u00fasquedas de espacio de nombres supervisor anidados."}], "id": "CVE-2017-11610", "lastModified": "2023-11-07T02:38:18.700", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-08-23T14:29:00.237", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2017/dsa-3942"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:3005"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://github.com/Supervisor/supervisor/blob/3.3.3/CHANGES.txt"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://github.com/Supervisor/supervisor/issues/964"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GMSCGMM477N64Z3BM34RWYBGSLK466B/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201709-06"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/42779/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2017:3005", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "ansible-tower-0:3.1.5-1.el7at", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-10-24T00:00:00Z"}, {"advisory": "RHSA-2017:3005", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "cfme-0:5.8.2.3-1.el7cf", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-10-24T00:00:00Z"}, {"advisory": "RHSA-2017:3005", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "cfme-appliance-0:5.8.2.3-1.el7cf", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-10-24T00:00:00Z"}, {"advisory": "RHSA-2017:3005", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "cfme-gemset-0:5.8.2.3-1.el7cf", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-10-24T00:00:00Z"}, {"advisory": "RHSA-2017:3005", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "rabbitmq-server-0:3.6.9-1.el7at", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-10-24T00:00:00Z"}, {"advisory": "RHSA-2017:3005", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "rh-ruby23-rubygem-nokogiri-0:1.8.1-2.el7cf", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-10-24T00:00:00Z"}, {"advisory": "RHSA-2017:3005", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "supervisor-0:3.1.4-1.el7", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-10-24T00:00:00Z"}], "bugzilla": {"description": "supervisor: Command injection via malicious XML-RPC request", "id": "1476143", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1476143"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-77", "details": ["The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.", "A vulnerability was found in the XML-RPC interface in supervisord. When processing malformed commands, an attacker can cause arbitrary shell commands to be executed on the server as the same user as supervisord. Exploitation requires the attacker to first be authenticated to the supervisord service."], "name": "CVE-2017-11610", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:1.3", "fix_state": "Will not fix", "package_name": "supervisor", "product_name": "Red Hat Ceph Storage 1.3"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Will not fix", "package_name": "supervisor", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "nagios", "product_name": "Red Hat Mobile Application Platform 4"}], "public_date": "2017-07-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-11610\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-11610"], "threat_severity": "Moderate", "upstream_fix": "supervisor 3.3.3"}