CVE-2021-3020

{"id": "CVE-2021-3020", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-08-26T00:15:08.773", "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=1180571", "tags": ["Permissions Required"], "source": "cve@mitre.org"}, {"url": "https://github.com/ClusterLabs/crmsh/commit/c538024b8ebd138dc373b005189471d9b77e9c82", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/ClusterLabs/hawk/releases", "tags": ["Release Notes", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in ClusterLabs Hawk (aka HA Web Konsole) through 2.3.0-15. It ships the binary hawk_invoke (built from tools/hawk_invoke.c), intended to be used as a setuid program. This allows the hacluster user to invoke certain commands as root (with an attempt to limit this to safe combinations). This user is able to execute an interactive \"shell\" that isn't limited to the commands specified in hawk_invoke, allowing escalation to root."}, {"lang": "es", "value": "Se ha detectado un problema en ClusterLabs Hawk (tambi\u00e9n se conoce como HA Web Konsole) hasta la versi\u00f3n 2.3.0-15. Es enviado el binario hawk_invoke (construido a partir de tools/hawk_invoke.c), destinado a ser usado como un programa setuid. Esto permite al usuario hacluster invocar determinados comandos como root (con un intento de limitar esto a combinaciones seguras). Este usuario es capaz de ejecutar un \"shell\" interactivo que no est\u00e1 limitado a los comandos especificados en hawk_invoke, permitiendo una escalada a root."}], "lastModified": "2023-08-08T14:22:24.967", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:clusterlabs:hawk:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB239D06-C0CE-4BAB-9974-D872E9D3E167", "versionEndIncluding": "2.3.0-15"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}