{"id":"CVE-2017-11610","details":"The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.","aliases":["GHSA-x7c8-4x3h-874w","PYSEC-2017-41"],"modified":"2026-05-28T04:03:41.213344505Z","published":"2017-08-23T14:29:00.237Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"8.0"},{"last_affected":"9.0"}],"vendor_product":"debian:debian_linux","cpes":["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"source":"CPE_STRING"},{"extracted_events":[{"last_affected":"24"},{"last_affected":"25"},{"last_affected":"26"}],"vendor_product":"fedoraproject:fedora","cpes":["cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:26:*:*:*:*:*:*:*"],"source":"CPE_STRING"},{"extracted_events":[{"last_affected":"4.5"}],"vendor_product":"redhat:cloudforms","cpes":["cpe:2.3:a:redhat:cloudforms:4.5:*:*:*:*:*:*:*"],"source":"CPE_STRING"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GMSCGMM477N64Z3BM34RWYBGSLK466B/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ/"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3942"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3005"},{"type":"ADVISORY","url":"https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt"},{"type":"ADVISORY","url":"https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt"},{"type":"ADVISORY","url":"https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt"},{"type":"ADVISORY","url":"https://github.com/Supervisor/supervisor/blob/3.3.3/CHANGES.txt"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201709-06"},{"type":"REPORT","url":"https://github.com/Supervisor/supervisor/issues/964"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/42779/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/supervisor/supervisor","events":[{"introduced":"0"},{"last_affected":"b0cb0980d97b475d8e08801e7b64a9d219cb7eb0"},{"last_affected":"fa45f8f6faff996e9f68f8ebda0ed52b9a47f0b4"},{"last_affected":"62dd947625825178ffe2c113a4711a65cf99d36f"},{"last_affected":"7786119a97f02b9df87031563523ee878c55fc5b"},{"last_affected":"f067ed44b726b754d23f97fd1277a23292382f82"},{"last_affected":"5fcab2c8349f5e0be664f2b29daff975bc889255"},{"last_affected":"b7e4ed8510c10b9dbdeb1c94c1890618f67df19f"},{"last_affected":"26cc505f5eb5b0d323cbcf4a9ec05c76cf7c0630"},{"last_affected":"8286f01c9c5324c07e9098bda279a49144e5c2d7"},{"last_affected":"4142109d2d7dc1dd4153831f7c82d1131dac31ee"},{"last_affected":"504e2fba3bf527ddd6969d7764fc624486d8fed6"},{"last_affected":"42bfa5537996b2a40511ef8a5a9f7e8ec3118c98"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"3.0"},{"last_affected":"3.1.0"},{"last_affected":"3.1.1"},{"last_affected":"3.1.2"},{"last_affected":"3.1.3"},{"last_affected":"3.2.0"},{"last_affected":"3.2.1"},{"last_affected":"3.2.2"},{"last_affected":"3.2.3"},{"last_affected":"3.3.0"},{"last_affected":"3.3.1"},{"last_affected":"3.3.2"}],"cpe":["cpe:2.3:a:supervisord:supervisor:*:*:*:*:*:*:*:*","cpe:2.3:a:supervisord:supervisor:3.1.0:*:*:*:*:*:*:*","cpe:2.3:a:supervisord:supervisor:3.1.1:*:*:*:*:*:*:*","cpe:2.3:a:supervisord:supervisor:3.1.2:*:*:*:*:*:*:*","cpe:2.3:a:supervisord:supervisor:3.1.3:*:*:*:*:*:*:*","cpe:2.3:a:supervisord:supervisor:3.2.0:*:*:*:*:*:*:*","cpe:2.3:a:supervisord:supervisor:3.2.1:*:*:*:*:*:*:*","cpe:2.3:a:supervisord:supervisor:3.2.2:*:*:*:*:*:*:*","cpe:2.3:a:supervisord:supervisor:3.2.3:*:*:*:*:*:*:*","cpe:2.3:a:supervisord:supervisor:3.3.0:*:*:*:*:*:*:*","cpe:2.3:a:supervisord:supervisor:3.3.1:*:*:*:*:*:*:*","cpe:2.3:a:supervisord:supervisor:3.3.2:*:*:*:*:*:*:*"],"source":["CPE_RANGE","CPE_STRING"]}}],"versions":["3.2.3","3.1.3","3.0","3.3.2","3.3.1","3.3.0","3.2.2","3.2.1","3.2.0","3.1.2","3.1.1","3.1.0","3.0b2","3.0b1","3.0a12","3.0a11","3.0a10"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-11610.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}