So, I was search for vulnerabites in my work company and I founded supervisord, it's a good service but the user don't need authetication for view logs ou restart a service, this is a called a misconfiguration, because some people put this online and anyone can acess, and view logs e restart services therefore I submmit to a CVE, they requered to contact the developer to see if will fix the bug and howmuch time is required needed to do.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> [Suggested description]
> In supervisord in Supervisor through 4.0.2,
> an unauthenticated user can read log files or restart a service.
>
> ------------------------------------------
>
> [Additional Information]
> http://supervisord.org/
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Missing Authentication for Critical Function
>
> ------------------------------------------
>
> [Vendor of Product]
> Supervisor
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Supervisord - <= 4.02
>
> ------------------------------------------
>
> [Attack Type]
> Context-dependent
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> get sensitive data from logs
>
> ------------------------------------------
>
> [Attack Vectors]
> Just open the url and port used by supervisord
>
> ------------------------------------------
>
> [Discoverer]
> Luan,monad
>
> ------------------------------------------
>
> [Reference]
> http://supervisord.org/configuration.html#supervisorctl-section-settings
Use CVE-2019-12105.
- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJc3HCXAAoJEA2h+fVryJLozsAP/3uxZW2MBwAkl2Y5vU/OQzoe
FuEXyxaPQ/EWAeHpq96JHLsG4ZdWdGd7ZuKdSf3YkT505tZNwo4LONsDejvTO3xZ
41EGsBJqHcfygUEp1jzo5q+H0Sq5ZvEhP5wkJBSEeaxAlbZXDs7UFgSr+SkDqBYe
UJjF6gQYhRhMF9XH1fwSBwUgI9AZiubFzb7d4KxRxP/D2y7GkPBzjdKNAiGF4FIk
/vzSLsAuGePyeMkg9UzMI7BijblMyW8vsTKNwSQtN/Wh1qaBQseuF3S0QZuckeyP
LkRJOyjnTN4B5Zi72qd9X0UxIhDVuSNf5WFwa635ugcO8iqSdySDrKZPbeuZ2T1x
5hGueYA7b8z1NQXzGwRpVXAbyek9CHVyYBak1upQQzRkT8cyWiYeTSa3Ew46rpk2
WngNkaA1McbjHUR90ToWnnbNeaA4RwY8UEJ4Gw0dSconYSw28Ws6raKzOKPgzZ0u
qUt9CPwUU9tZw/25XWZVPPra5bLArFPE7EIWZUpJGG4Knq6EXVvt6g3UfVCW2HnS
SxCI2szaPHxJzSWXS3/WNlhBtnezxtaOR0jStYzEzu735hLhdMna+7FGznDNylNo
2e9vaWUQgQngxti9ZiExTaGl6dR/5z6t/HFH7izsTq8wMgMkTigzYQxnizkmv4NR
hssvZM7TzZfuMA2vx1og
=Qbfq
-----END PGP SIGNATURE-----
Luan Souza ([email protected]) wrote in email: