Upstream information

CVE-2019-12105 at MITRE

Description

** DISPUTED ** In Supervisor through 4.0.2, an unauthenticated user can read log files or restart a service. Note: The maintainer responded that the affected component, inet_http_server, is not enabled by default but if the user enables it and does not set a password, Supervisor logs a warning message. The maintainer indicated the ability to run an open server will not be removed but an additional warning was added to the documentation.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 6.4
Vector AV:N/AC:L/Au:N/C:P/I:N/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact Partial
SUSE Bugzilla entry: 1150279 [NEW]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • supervisor >= 4.1.0-1.8
Patchnames:
openSUSE Tumbleweed GA supervisor-4.1.0-1.8


SUSE Timeline for this CVE

CVE page created: Tue Sep 10 20:41:50 2019
CVE page last modified: Fri Oct 7 12:50:02 2022