CVE-2019-12105Missing Authentication for Critical Function in Supervisor

CWE-306Missing Authentication for Critical Function6 documents5 sources
Severity
8.2HIGHNVD
EPSS
1.8%
top 17.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Supervisord Supervisor
Timeline
PublishedSep 10
Latest updateMay 24

Description

In Supervisor through 4.0.2, an unauthenticated user can read log files or restart a service. Note: The maintainer responded that the affected component, inet_http_server, is not enabled by default but if the user enables it and does not set a password, Supervisor logs a warning message. The maintainer indicated the ability to run an open server will not be removed but an additional warning was added to the documentation

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:HExploitability: 3.9 | Impact: 4.2

Affected Packages2 packages

PyPIsupervisord/supervisor< 4e334d9cf2a1daff685893e35e72398437df3dcb+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
GHSA-6x94-2xr2-xgw3: In supervisord in Supervisor through 42022-05-24
OSV
CVE-2019-12105: ** DISPUTED ** In Supervisor through 42019-09-10
CVEList
CVE-2019-12105: In Supervisor through 42019-09-10
OSV
CVE-2019-12105: In Supervisor through 42019-09-10

📋Vendor Advisories

1
Debian
CVE-2019-12105: supervisor - In Supervisor through 4.0.2, an unauthenticated user can read log files or resta...2019
CVE-2019-12105 — Supervisord Supervisor vulnerability | cvebase