Published: 23/08/2017 Updated: 07/11/2023

CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 906

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

The XML-RPC server in supervisor prior to 3.0.1, 3.1.x prior to 3.1.4, 3.2.x prior to 3.2.4, and 3.3.x prior to 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

Vulnerable Product	Search on Vulmon	Subscribe to Product
supervisord supervisor 3.1.2
supervisord supervisor 3.3.1
supervisord supervisor
supervisord supervisor 3.2.3
supervisord supervisor 3.2.2
supervisord supervisor 3.2.0
supervisord supervisor 3.2.1
supervisord supervisor 3.3.2
supervisord supervisor 3.1.1
supervisord supervisor 3.1.0
supervisord supervisor 3.3.0
supervisord supervisor 3.1.3
fedoraproject fedora 26
fedoraproject fedora 25
fedoraproject fedora 24
debian debian linux 8.0
debian debian linux 9.0
redhat cloudforms 4.5

Synopsis Important: Red Hat CloudForms security, bug fix, and enhancement update Type/Severity Security Advisory: Important Topic An update is now available for CloudForms Management Engine 58Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Sc ...

Debian Bug report logs - #870187 supervisor: CVE-2017-11610: Command injection via malicious XML-RPC request Package: src:supervisor; Maintainer for src:supervisor is Python Applications Packaging Team <python-apps-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sun, 30 Jul 2 ...

Calum Hutton reported that the XML-RPC server in supervisor, a system for controlling process state, does not perform validation on requested XML-RPC methods, allowing an authenticated client to send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server as the same user as supervisord The vulnerability has ...

A vulnerability was found in the XML-RPC interface in supervisord When processing malformed commands, an attacker can cause arbitrary shell commands to be executed on the server as the same user as supervisord Exploitation requires the attacker to first be authenticated to the supervisord service ...

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info={}) super(update_info(info, ...

This Metasploit module exploits a vulnerability in the Supervisor process control software, where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server The commands will be run as the same user as supervisord Depending on how supervisord has been configured, this may be ro ...

Standalone Python ≥3.6 RCE Unauthenticated exploit for Supervisor 3.0a1 to 3.3.2

CVE-2017-11610 Unauthenticated Reverse Shell RCE for Supervisor 30a1 - 332 Standalone Python ≥36 Unauthenticated RCE exploit for Supervisor 30a1 to 332, rewritten from this Metasploit module Explanatory post here Tested with Python 37 on this target runing Supervisor 332 Usage: root@Kali:~/Infosec/RubyStuff/Supervisor-332# /exploitpy -h usage: exploitpy [-h]

Supervisord远程命令执行漏洞脚本

Supervisord远程命令执行漏洞脚本（CVE-2017-11610）漏洞简介 Supervisor 是一个用 Python 写的进程管理工具，可以很方便的用来在 UNIX-like 系统（不支持 Windows）下启动、重启（自动重启程序）、关闭进程（不仅仅是 Python 进程） Supervisor 是一个 C/S 模型的程序，supervisord 是 server 端，supervisorctl 是

Supervisord 远程命令执行漏洞（CVE-2017-11610）参考链接（可以详细看一下第一篇文章）： wwwleavesongscom/PENETRATION/supervisord-RCE-CVE-2017-11610html blogssecuriteamcom/indexphp/archives/3348 githubcom/Supervisor/supervisor/commit/90c5df80777bfec03d041740465027f83d22e27b 运行环境 docker-compose build docker-compo

java图形化漏洞利用工具集

javafx_tools java图形化漏洞利用工具集（本工具采用java18编写）小白工具集10 Supervisord CVE-2017-11610 Fuelcms CVE-2018-16763 showdoc Atlassian Confluence CVE-2022-26134 PHPUnit CVE-2017-9841 编码工具 H3C_IMC 向日葵 ⚠️ 免责声明此工具仅作为网络安全攻防研究交流，请使用者遵照网络安全法合理使用！

CWE-276 https://github.com/Supervisor/supervisor/issues/964 https://github.com/Supervisor/supervisor/blob/3.3.3/CHANGES.txt https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt http://www.debian.org/security/2017/dsa-3942 https://security.gentoo.org/glsa/201709-06 https://www.exploit-db.com/exploits/42779/https://access.redhat.com/errata/RHSA-2017:3005 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GMSCGMM477N64Z3BM34RWYBGSLK466B/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ/https://access.redhat.com/errata/RHSA-2017:3005 https://nvd.nist.gov https://www.exploit-db.com/exploits/42779/https://github.com/ivanitlearning/CVE-2017-11610 https://www.debian.org/security/./dsa-3942

CVE-2017-11610

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect