An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There is a Ruby shell code injection issue via the hawk_remember_me_id parameter in the login_from_cookie cookie. The user logout routine could be used by unauthenticated remote attackers to execute code as hauser.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2021/01/12/3 | Mailing List Patch Third Party Advisory |
https://bugzilla.suse.com/show_bug.cgi?id=1179998 | Issue Tracking Patch Third Party Advisory |
https://github.com/ClusterLabs/hawk/releases | Release Notes Third Party Advisory |
https://www.openwall.com/lists/oss-security/2021/01/12/3 | Mailing List Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Jan 2021, 14:28
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:clusterlabs:hawk:2.2.0-12:*:*:*:*:*:*:* cpe:2.3:a:clusterlabs:hawk:2.3.0-12:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : 10.0
v3 : 9.8 |
CWE | CWE-94 | |
References | (MISC) https://github.com/ClusterLabs/hawk/releases - Release Notes, Third Party Advisory | |
References | (CONFIRM) https://www.openwall.com/lists/oss-security/2021/01/12/3 - Mailing List, Patch, Third Party Advisory | |
References | (MISC) https://bugzilla.suse.com/show_bug.cgi?id=1179998 - Issue Tracking, Patch, Third Party Advisory | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2021/01/12/3 - Mailing List, Patch, Third Party Advisory |
12 Jan 2021, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-01-12 15:15
Updated : 2023-12-10 13:41
NVD link : CVE-2020-35458
Mitre link : CVE-2020-35458
CVE.ORG link : CVE-2020-35458
JSON object : View
Products Affected
clusterlabs
- hawk
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')