Think you have a false positive on this rule?

Sid 1-44483

Message

SERVER-OTHER Supervisord remote code execution attempt

Summary

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

Impact

CVSS base score 8.8 CVSS impact score 5.9 CVSS exploitability score 2.8 confidentialityImpact HIGH integrityImpact HIGH availabilityImpact HIGH

CVE-2017-11610:

CVSS base score 8.8

CVSS impact score 5.9

CVSS exploitability score 2.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

CVE-2017-11610: The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

Affected systems

  • supervisord supervisor 3.0
  • supervisord supervisor 3.1.0
  • supervisord supervisor 3.1.1
  • supervisord supervisor 3.1.2
  • supervisord supervisor 3.1.3
  • supervisord supervisor 3.2.0
  • supervisord supervisor 3.2.1
  • supervisord supervisor 3.2.2
  • supervisord supervisor 3.2.3
  • supervisord supervisor 3.3.0
  • supervisord supervisor 3.3.1
  • supervisord supervisor 3.3.2
  • debian debian_linux 8.0
  • debian debian_linux 9.0
  • fedoraproject fedora 24
  • fedoraproject fedora 25
  • fedoraproject fedora 26

Ease of attack

CVE-2017-11610:

Access Vector

Access Complexity

Authentication

False positives

None known

False negatives

None known

Corrective action

Upgrade to the latest non-affected version of the software.

Apply the appropriate vendor supplied patches.

Contributors

  • Talos research team.
  • This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology.
  • For more information see nvd.

Additional References

  • supervisord.org/