CyberSec.Space Logo
返回 CVE 浏览器

CVE-2021-3020

HIGH
8.8
CVSS Severity Score
EPSS Score0.0080%
EPSS Percentile17.11th
Published2022年8月26日
Last Modified2024年11月21日

Vulnerability Description

An issue was discovered in ClusterLabs Hawk (aka HA Web Konsole) through 2.3.0-15. It ships the binary hawk_invoke (built from tools/hawk_invoke.c), intended to be used as a setuid program. This allows the hacluster user to invoke certain commands as root (with an attempt to limit this to safe combinations). This user is able to execute an interactive "shell" that isn't limited to the commands specified in hawk_invoke, allowing escalation to root.

Affected Platforms (CPE)

📦
Clusterlabs

Hawk

<= 2.3.0-15

References & Advisories

🔗 https://bugzilla.suse.com/show_bug.cgi?id=1180571
🔗 https://github.com/ClusterLabs/crmsh/commit/c538024b8ebd138dc373b005189471d9b77e9c82
🔗 https://github.com/ClusterLabs/hawk/releases
🔗 https://bugzilla.suse.com/show_bug.cgi?id=1180571
🔗 https://github.com/ClusterLabs/crmsh/commit/c538024b8ebd138dc373b005189471d9b77e9c82
🔗 https://github.com/ClusterLabs/hawk/releases

相关漏洞威胁

CVE-2008-333810.0

Multiple buffer overflows in TIBCO Hawk (1) AMI C library (libtibhawkami) and (2) Hawk HMA (tibhawkhma), as used in TIBCO Hawk bef...

CVE-2020-354589.8

An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There is a Ruby shell code injection issue via the hawk_remember_...

CVE-2002-08787.5

SQL injection vulnerability in the login form for LogiSense software including (1) Hawk-i Billing, (2) Hawk-i ASP and (3) DNS Mana...

CVE-2004-16377.5

The Hawking Technologies HAR11A modem/router allows remote attackers to obtain sensitive information by connecting to port 254, wh...