CVE-2020-35458
CRITICALClusterLabs Hawk 2.x-2.3.0 - Unauthenticated OS Command Injection via hawk_remember_me_id Cookie Parameter
Title source: llmDescription
An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There is a Ruby shell code injection issue via the hawk_remember_me_id parameter in the login_from_cookie cookie. The user logout routine could be used by unauthenticated remote attackers to execute code as hauser.
References (4)
Core 4
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugzilla.suse.com/show_bug.cgi?id=1179998
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/ClusterLabs/hawk/releases
Mailing List, Patch, Third Party Advisory x_refsource_confirm
https://www.openwall.com/lists/oss-security/2021/01/12/3
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/01/12/3
Scores
CVSS v3
9.8
EPSS
0.0533
EPSS Percentile
91.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (2)
clusterlabs/hawk
2.2.0-12
clusterlabs/hawk
2.3.0-12
Published
Jan 12, 2021
Tracked Since
Feb 18, 2026