On Sun, Jul 30, 2017 at 10:07:42PM +0200, Salvatore Bonaccorso wrote: > I should add: I have choosen severity grave due to the potential of > code execution as root if the service is enabled. Am I right that in > *any* version present in Debian the web interface is started? > > If so we might lower the severity.
Actually the unix_http_server is started by default. Still in default installation it might be harder to exploit. Details are in the upstream bug at https://github.com/Supervisor/supervisor/issues/964 CRIT Server 'unix_http_server' running without any HTTP authentication checking Regards, Salvatore
