Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626100 (CVE-2017-11610) - <app-admin/supervisor-{3.1.4, 3.3.3}: command injection vulnerability
Summary: <app-admin/supervisor-{3.1.4, 3.3.3}: command injection vulnerability
Alias: CVE-2017-11610
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa cve]
: 628724 (view as bug list)
Depends on:
Reported: 2017-07-24 22:06 UTC by Louis Sautier (sbraz)
Modified: 2017-09-17 15:46 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: No


Note You need to log in before you can comment on or make changes to this bug.
Description Louis Sautier (sbraz) gentoo-dev 2017-07-24 22:06:55 UTC
A vulnerability was found where an authenticated client can send a malicious XML-RPC request to ``supervisord`` that will run arbitrary shell commands on the server.  The commands will be run as the same user as ``supervisord``. Depending on how ``supervisord`` has been configured, this may be root.

The issue is fixed in 3.1.4 and 3.3.3.
Comment 1 Louis Sautier (sbraz) gentoo-dev 2017-07-24 22:50:06 UTC
PR here:
Comment 2 Louis Sautier (sbraz) gentoo-dev 2017-07-26 18:39:00 UTC
Vulnerable versions removed from the tree:
Comment 3 D'juan McDonald (domhnall) 2017-08-23 16:56:31 UTC
*** Bug 628724 has been marked as a duplicate of this bug. ***
Comment 4 D'juan McDonald (domhnall) 2017-08-23 17:58:50 UTC
@maintainer(s), Thank you for your work. ping @Security, please follow procedure to close on report, thank you.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-09-17 15:46:39 UTC
This issue was resolved and addressed in
 GLSA 201709-06 at
by GLSA coordinator Aaron Bauman (b-man).