Supervisor: command injection vulnerability — GLSA 201709-06

A vulnerability in Supervisor might allow remote attackers to execute arbitrary code.

Affected Packages

app-admin/supervisor on all architectures
Affected versions < 3.1.4
Unaffected versions >= 3.1.4

Background

Supervisor is a client/server system that allows its users to monitor and control a number of processes on UNIX-like operating systems.

Description

A vulnerability in Supervisor was discovered in which an authenticated client could send malicious XML-RPC requests and supervidord will run them as shell commands with process privileges. In some cases, supervisord is configured with root permissions.

Impact

A remote attacker could execute arbitrary code with the privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All Supervisor users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "=app-admin/supervisor-3.1.4"
 

References

Release Date
September 17, 2017

Latest Revision
September 17, 2017: 1

Severity
high

Exploitable
remote

Bugzilla entries