Vulnerability Details : CVE-2017-11610
Public exploit exists!
The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.
Exploit prediction scoring system (EPSS) score for CVE-2017-11610
97.48%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2017-11610
-
Supervisor XML-RPC Authenticated Remote Code Execution
Disclosure Date: 2017-07-19First seen: 2020-04-26exploit/linux/http/supervisor_xmlrpc_execThis module exploits a vulnerability in the Supervisor process control software, where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord.
CVSS scores for CVE-2017-11610
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2017-11610
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-11610
-
https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt
supervisor/CHANGES.txt at 3.0.1 · Supervisor/supervisor · GitHubRelease Notes;Vendor Advisory
-
https://github.com/Supervisor/supervisor/blob/3.3.3/CHANGES.txt
supervisor/CHANGES.txt at 3.3.3 · Supervisor/supervisor · GitHubRelease Notes;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ/
[SECURITY] Fedora 24 Update: supervisor-3.1.4-1.fc24 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMSCGMM477N64Z3BM34RWYBGSLK466B/
[SECURITY] Fedora 26 Update: supervisor-3.3.3-1.fc26 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://www.exploit-db.com/exploits/42779/
Supervisor 3.0a1 < 3.3.2 - XML-RPC (Authenticated) Remote Code Execution (Metasploit)Exploit;Third Party Advisory;VDB Entry
-
https://github.com/Supervisor/supervisor/issues/964
[CVE-2017-11610] RCE vulnerability report · Issue #964 · Supervisor/supervisor · GitHubIssue Tracking;Vendor Advisory
-
https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt
supervisor/CHANGES.txt at 3.2.4 · Supervisor/supervisor · GitHubRelease Notes;Vendor Advisory
-
https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt
supervisor/CHANGES.txt at 3.1.4 · Supervisor/supervisor · GitHubRelease Notes;Vendor Advisory
-
http://www.debian.org/security/2017/dsa-3942
Debian -- Security Information -- DSA-3942-1 supervisorThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM/
[SECURITY] Fedora 25 Update: supervisor-3.2.4-1.fc25 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://security.gentoo.org/glsa/201709-06
Supervisor: command injection vulnerability (GLSA 201709-06) — Gentoo securityThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:3005
RHSA-2017:3005 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Products affected by CVE-2017-11610
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:cloudforms:4.5:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:26:*:*:*:*:*:*:*
- cpe:2.3:a:supervisord:supervisor:*:*:*:*:*:*:*:*
- cpe:2.3:a:supervisord:supervisor:3.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:supervisord:supervisor:3.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:supervisord:supervisor:3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:supervisord:supervisor:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:supervisord:supervisor:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:supervisord:supervisor:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:supervisord:supervisor:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:supervisord:supervisor:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:supervisord:supervisor:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:supervisord:supervisor:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:supervisord:supervisor:3.2.0:*:*:*:*:*:*:*