{"id":"PYSEC-2017-41","details":"The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.","aliases":["CVE-2017-11610","GHSA-x7c8-4x3h-874w"],"modified":"2023-11-08T03:58:49.782742Z","published":"2017-08-23T14:29:00Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMSCGMM477N64Z3BM34RWYBGSLK466B/"},{"type":"REPORT","url":"https://github.com/Supervisor/supervisor/issues/964"},{"type":"WEB","url":"https://github.com/Supervisor/supervisor/blob/3.3.3/CHANGES.txt"},{"type":"WEB","url":"https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt"},{"type":"WEB","url":"https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt"},{"type":"WEB","url":"https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3942"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201709-06"},{"type":"WEB","url":"https://www.exploit-db.com/exploits/42779/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3005"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-x7c8-4x3h-874w"}],"affected":[{"package":{"name":"supervisor","ecosystem":"PyPI","purl":"pkg:pypi/supervisor"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.0.1"},{"introduced":"3.1"},{"fixed":"3.1.4"},{"introduced":"3.2"},{"fixed":"3.2.4"},{"introduced":"3.3"},{"fixed":"3.3.3"}]}],"versions":["2.0","2.0b1","2.1","2.1b1","2.2b1","3.0","3.0a1","3.0a10","3.0a11","3.0a12","3.0a2","3.0a3","3.0a4","3.0a5","3.0a6","3.0a7","3.0a8","3.0a9","3.0b1","3.0b2","3.1.0","3.1.1","3.1.2","3.1.3","3.2.0","3.2.1","3.2.2","3.2.3","3.3.0","3.3.1","3.3.2","a3"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/supervisor/PYSEC-2017-41.yaml"}}],"schema_version":"1.7.3"}