FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-18 11:12:36 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
c9460380-81e3-11e7-93af-005056925db4	Supervisord -- An authenticated client can run arbitrary shell commands via malicious XML-RPC requests mnaberez reports: supervisord can be configured to run an HTTP server on a TCP socket and/or a Unix domain socket. The HTTP server is how supervisorctl communicates with supervisord. If an HTTP server has been enabled, it will always serve both HTML pages and an XML-RPC interface. A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root. This vulnerability can only be exploited by an authenticated client or if supervisord has been configured to run an HTTP server without authentication. If authentication has not been enabled, supervisord will log a message at the critical level every time it starts. Discovery 2017-07-24 Entry 2017-08-15 py27-supervisor < 3.3.3,1 http://supervisord.org/changes.html https://github.com/Supervisor/supervisor/issues/964#issuecomment-317551606 CVE-2017-11610

VuXML ID

Description

c9460380-81e3-11e7-93af-005056925db4

Supervisord -- An authenticated client can run arbitrary shell commands via malicious XML-RPC requests

mnaberez reports:

supervisord can be configured to run an HTTP server on a TCP socket and/or a Unix domain socket. The HTTP server is how supervisorctl communicates with supervisord. If an HTTP server has been enabled, it will always serve both HTML pages and an XML-RPC interface. A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root.

This vulnerability can only be exploited by an authenticated client or if supervisord has been configured to run an HTTP server without authentication. If authentication has not been enabled, supervisord will log a message at the critical level every time it starts.

Discovery 2017-07-24
Entry 2017-08-15
py27-supervisor

< 3.3.3,1

http://supervisord.org/changes.html
https://github.com/Supervisor/supervisor/issues/964#issuecomment-317551606
CVE-2017-11610