CyberSec.Space Logo
Back to CVE Browser

CVE-2020-35458

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0690%
EPSS Percentile16.76th
PublishedJan 12, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There is a Ruby shell code injection issue via the hawk_remember_me_id parameter in the login_from_cookie cookie. The user logout routine could be used by unauthenticated remote attackers to execute code as hauser.

Affected Platforms (CPE)

πŸ“¦
Clusterlabs

Hawk

= 2.2.0-12
πŸ“¦
Clusterlabs

Hawk

= 2.3.0-12

References & Advisories

πŸ”— http://www.openwall.com/lists/oss-security/2021/01/12/3
πŸ”— https://bugzilla.suse.com/show_bug.cgi?id=1179998
πŸ”— https://github.com/ClusterLabs/hawk/releases
πŸ”— https://www.openwall.com/lists/oss-security/2021/01/12/3
πŸ”— http://www.openwall.com/lists/oss-security/2021/01/12/3
πŸ”— https://bugzilla.suse.com/show_bug.cgi?id=1179998
πŸ”— https://github.com/ClusterLabs/hawk/releases
πŸ”— https://www.openwall.com/lists/oss-security/2021/01/12/3

Related Vulnerabilities

CVE-2008-333810.0

Multiple buffer overflows in TIBCO Hawk (1) AMI C library (libtibhawkami) and (2) Hawk HMA (tibhawkhma), as used in TIBCO Hawk bef...

CVE-2021-30208.8

An issue was discovered in ClusterLabs Hawk (aka HA Web Konsole) through 2.3.0-15. It ships the binary hawk_invoke (built from too...

CVE-2002-08787.5

SQL injection vulnerability in the login form for LogiSense software including (1) Hawk-i Billing, (2) Hawk-i ASP and (3) DNS Mana...

CVE-2004-16377.5

The Hawking Technologies HAR11A modem/router allows remote attackers to obtain sensitive information by connecting to port 254, wh...