⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2017-11610

CWE-276Incorrect Default PermissionsCWE-77Command Injection13 documents10 sources
Severity
8.8HIGH
EPSS
93.8%
top 0.14%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
4
Supervisord SupervisorDebian Debian LinuxFedoraproject Fedora+1 more
Timeline
PublishedAug 23
Latest updateMay 13

Description

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

PyPIsupervisor3.1.03.1.4+3
Debiansupervisor< 3.3.1-1.1+3

Also affects: Debian Linux 8.0, 9.0, Fedora 24, 25, 26

🔴Vulnerability Details

5
GHSA
Incorrect Default Permissions in Supervisor2022-05-13
OSV
Incorrect Default Permissions in Supervisor2022-05-13
CVEList
CVE-2017-11610: The XML-RPC server in supervisor before 32017-08-23
OSV
CVE-2017-11610: The XML-RPC server in supervisor before 32017-08-23
VulnCheck
supervisord supervisor Incorrect Default Permissions2017

💥Exploits & PoCs

2
Exploit-DB
Supervisor 3.0a1 < 3.3.2 - XML-RPC (Authenticated) Remote Code Execution (Metasploit)2017-09-25
Nuclei
XML-RPC Server - Remote Code Execution

📋Vendor Advisories

2
Red Hat
supervisor: Command injection via malicious XML-RPC request2017-07-24
Debian
CVE-2017-11610: supervisor - The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before ...2017

💬Community

3
Bugzilla
CVE-2017-11610 supervisor: Command injection via malicious XML-RPC request [fedora-all]2017-07-28
Bugzilla
CVE-2017-11610 supervisor: Command injection via malicious XML-RPC request [epel-all]2017-07-28
Bugzilla
CVE-2017-11610 supervisor: Command injection via malicious XML-RPC request2017-07-28
CVE-2017-11610 (HIGH CVSS 8.8) | The XML-RPC server in supervisor be | cvebase.io