Vulnerability Description
In Supervisor through 4.0.2, an unauthenticated user can read log files or restart a service. Note: The maintainer responded that the affected component, inet_http_server, is not enabled by default but if the user enables it and does not set a password, Supervisor logs a warning message. The maintainer indicated the ability to run an open server will not be removed but an additional warning was added to the documentation
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Supervisord | Supervisor | <= 4.0.2 |
Related Weaknesses (CWE)
References
- http://supervisord.org/configuration.html#inet-http-server-section-settings
- https://github.com/Supervisor/supervisor/commit/4e334d9cf2a1daff685893e35e723984PatchThird Party Advisory
- https://github.com/Supervisor/supervisor/issues/1245Third Party Advisory
- http://supervisord.org/configuration.html#inet-http-server-section-settings
- https://github.com/Supervisor/supervisor/commit/4e334d9cf2a1daff685893e35e723984PatchThird Party Advisory
- https://github.com/Supervisor/supervisor/issues/1245Third Party Advisory
FAQ
What is CVE-2019-12105?
CVE-2019-12105 is a vulnerability with a CVSS score of 8.2 (HIGH). In Supervisor through 4.0.2, an unauthenticated user can read log files or restart a service. Note: The maintainer responded that the affected component, inet_http_server, is not enabled by default bu...
How severe is CVE-2019-12105?
CVE-2019-12105 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-12105?
Check the references section above for vendor advisories and patch information. Affected products include: Supervisord Supervisor.