First published: Tue Jan 12 2021(Updated: )
An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There is a Ruby shell code injection issue via the hawk_remember_me_id parameter in the login_from_cookie cookie. The user logout routine could be used by unauthenticated remote attackers to execute code as hauser.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
ClusterLabs Hawk | =2.2.0-12 | |
ClusterLabs Hawk | =2.3.0-12 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-35458 is a vulnerability in ClusterLabs Hawk 2.x through 2.3.0-x that allows unauthenticated remote attackers to execute code as hauser.
CVE-2020-35458 has a severity rating of 9.8 (critical).
CVE-2020-35458 is a Ruby shell code injection vulnerability that occurs via the hawk_remember_me_id parameter in the login_from_cookie cookie.
Versions 2.2.0-12 and 2.3.0-12 of ClusterLabs Hawk are affected by CVE-2020-35458.
Update ClusterLabs Hawk to a version above 2.3.0-x to fix CVE-2020-35458.