CVE-2019-12105 – supervisor

Package

Manager: pip
Name: supervisor
Vulnerable Version: =a3 || =2.0b1 || =2.0 || =2.1b1 || =2.1 || =2.2b1 || =3.0a1 || =3.0a2 || =3.0a3 || =3.0a4 || =3.0a5 || =3.0a6 || =3.0a7 || =3.0a8 || =3.0a9 || =3.0a10 || =3.0a11 || =3.0a12 || =3.0b1 || =3.0b2 || =3.0 || =3.0.1 || =3.1.0 || =3.1.1 || =3.1.2 || =3.1.3 || =3.1.4 || =3.2.0 || =3.2.1 || =3.2.2 || =3.2.3 || =3.2.4 || =3.3.0 || =3.3.1 || =3.3.2 || =3.3.3 || =3.3.4 || =3.3.5 || =3.4.0 || =4.0.0 || =4.0.1 || =4.0.2 || >=0 <4e334d9cf2a1daff685893e35e72398437df3dcb || >=0 <4.0.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01812 pctl0.82125

Details

** DISPUTED ** In Supervisor through 4.0.2, an unauthenticated user can read log files or restart a service. Note: The maintainer responded that the affected component, inet_http_server, is not enabled by default but if the user enables it and does not set a password, Supervisor logs a warning message. The maintainer indicated the ability to run an open server will not be removed but an additional warning was added to the documentation.

Metadata

Created: 2019-09-10T17:15:00Z
Modified: 2023-11-08T04:01:02.830789Z
Source: https://osv-vulnerabilities
CWE IDs: N/A
Alternative ID: N/A
Finding: F039
Auto approve: 1