{"id":"PYSEC-2019-126","details":"** DISPUTED ** In Supervisor through 4.0.2, an unauthenticated user can read log files or restart a service. Note: The maintainer responded that the affected component, inet_http_server, is not enabled by default but if the user enables it and does not set a password, Supervisor logs a warning message. The maintainer indicated the ability to run an open server will not be removed but an additional warning was added to the documentation.","aliases":["CVE-2019-12105"],"modified":"2023-11-08T04:01:02.830789Z","published":"2019-09-10T17:15:00Z","references":[{"type":"FIX","url":"https://github.com/Supervisor/supervisor/commit/4e334d9cf2a1daff685893e35e72398437df3dcb"},{"type":"REPORT","url":"https://github.com/Supervisor/supervisor/issues/1245"},{"type":"WEB","url":"http://supervisord.org/configuration.html#inet-http-server-section-settings"}],"affected":[{"package":{"name":"supervisor","ecosystem":"PyPI","purl":"pkg:pypi/supervisor"},"ranges":[{"type":"GIT","repo":"https://github.com/Supervisor/supervisor","events":[{"introduced":"0"},{"fixed":"4e334d9cf2a1daff685893e35e72398437df3dcb"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.0.3"}]}],"versions":["a3","2.0b1","2.0","2.1b1","2.1","2.2b1","3.0a1","3.0a2","3.0a3","3.0a4","3.0a5","3.0a6","3.0a7","3.0a8","3.0a9","3.0a10","3.0a11","3.0a12","3.0b1","3.0b2","3.0","3.0.1","3.1.0","3.1.1","3.1.2","3.1.3","3.1.4","3.2.0","3.2.1","3.2.2","3.2.3","3.2.4","3.3.0","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.4.0","4.0.0","4.0.1","4.0.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/supervisor/PYSEC-2019-126.yaml"}}],"schema_version":"1.7.3"}