GLSA-201709-06 : Supervisor: command injection vulnerability
High Nessus Plugin ID 103274
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-201709-06 (Supervisor: command injection vulnerability)
A vulnerability in Supervisor was discovered in which an authenticated client could send malicious XML-RPC requests and supervidord will run them as shell commands with process privileges. In some cases, supervisord is configured with root permissions.
A remote attacker could execute arbitrary code with the privileges of the process.
There is no known workaround at this time.
SolutionAll Supervisor users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '=app-admin/supervisor-3.1.4'