{"id":"CVE-2017-11610","details":"The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.","aliases":["GHSA-x7c8-4x3h-874w","PYSEC-2017-41"],"modified":"2026-04-16T06:26:01.209862186Z","published":"2017-08-23T14:29:00.237Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GMSCGMM477N64Z3BM34RWYBGSLK466B/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM/"},{"type":"ADVISORY","url":"https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt"},{"type":"ADVISORY","url":"https://github.com/Supervisor/supervisor/blob/3.3.3/CHANGES.txt"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3942"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3005"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201709-06"},{"type":"ADVISORY","url":"https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt"},{"type":"ADVISORY","url":"https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt"},{"type":"REPORT","url":"https://github.com/Supervisor/supervisor/issues/964"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/42779/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/supervisor/supervisor","events":[{"introduced":"0"},{"last_affected":"b0cb0980d97b475d8e08801e7b64a9d219cb7eb0"},{"introduced":"0"},{"last_affected":"fa45f8f6faff996e9f68f8ebda0ed52b9a47f0b4"},{"introduced":"0"},{"last_affected":"62dd947625825178ffe2c113a4711a65cf99d36f"},{"introduced":"0"},{"last_affected":"7786119a97f02b9df87031563523ee878c55fc5b"},{"introduced":"0"},{"last_affected":"f067ed44b726b754d23f97fd1277a23292382f82"},{"introduced":"0"},{"last_affected":"5fcab2c8349f5e0be664f2b29daff975bc889255"},{"introduced":"0"},{"last_affected":"b7e4ed8510c10b9dbdeb1c94c1890618f67df19f"},{"introduced":"0"},{"last_affected":"26cc505f5eb5b0d323cbcf4a9ec05c76cf7c0630"},{"introduced":"0"},{"last_affected":"8286f01c9c5324c07e9098bda279a49144e5c2d7"},{"introduced":"0"},{"last_affected":"4142109d2d7dc1dd4153831f7c82d1131dac31ee"},{"introduced":"0"},{"last_affected":"504e2fba3bf527ddd6969d7764fc624486d8fed6"},{"introduced":"0"},{"last_affected":"42bfa5537996b2a40511ef8a5a9f7e8ec3118c98"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.0"},{"introduced":"0"},{"last_affected":"3.1.0"},{"introduced":"0"},{"last_affected":"3.1.1"},{"introduced":"0"},{"last_affected":"3.1.2"},{"introduced":"0"},{"last_affected":"3.1.3"},{"introduced":"0"},{"last_affected":"3.2.0"},{"introduced":"0"},{"last_affected":"3.2.1"},{"introduced":"0"},{"last_affected":"3.2.2"},{"introduced":"0"},{"last_affected":"3.2.3"},{"introduced":"0"},{"last_affected":"3.3.0"},{"introduced":"0"},{"last_affected":"3.3.1"},{"introduced":"0"},{"last_affected":"3.3.2"}]}}],"versions":["3.0","3.0a10","3.0a11","3.0a12","3.0b1","3.0b2","3.1.0","3.1.1","3.1.2","3.1.3","3.2.0","3.2.1","3.2.2","3.2.3","3.3.0","3.3.1","3.3.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-11610.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"24"}]},{"events":[{"introduced":"0"},{"last_affected":"25"}]},{"events":[{"introduced":"0"},{"last_affected":"26"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.5"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}