CVE-2020-35458

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-35458

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-35458.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-35458

Downstream

SUSE-SU-2021:0088-1

SUSE-SU-2021:0089-1

SUSE-SU-2021:0090-1

SUSE-SU-2021:0192-1

SUSE-SU-2021:0198-1

SUSE-SU-2021:0200-1

openSUSE-SU-2021:0054-1

openSUSE-SU-2021:0074-1

openSUSE-SU-2021:0144-1

openSUSE-SU-2021:0147-1

openSUSE-SU-2024:12952-1

Related

Published

2021-01-12T15:15:13Z

Modified

2025-07-01T11:34:59.027941Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There is a Ruby shell code injection issue via the hawkremembermeid parameter in the loginfrom_cookie cookie. The user logout routine could be used by unauthenticated remote attackers to execute code as hauser.

References

Affected packages

Git / github.com/clusterlabs/hawk

Affected ranges

Type: GIT
Repo: https://github.com/clusterlabs/hawk
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

070a8e0c4b74ab8ef47af59fb6510ad57807baad

Last affected

fadd1ef9284a4df6c90f4248acdd76bd16bf7a3b

Affected versions

1.*

1.0.0-alpha1

2.*

2.2.0-12

2.3.0-12

hawk-0.*

hawk-0.1.1

hawk-0.1.2

hawk-0.1.3

hawk-0.2.0

hawk-0.2.1

hawk-0.3.0

hawk-0.3.1

hawk-0.3.2

hawk-0.3.3

hawk-0.3.4

hawk-0.3.5

hawk-0.3.6

hawk-0.4.0

hawk-0.4.1

hawk-0.5.0

hawk-0.5.1

hawk-0.5.2

hawk-0.6.0

hawk-0.6.1

hawk-0.6.2

hawk-2.*

hawk-2.0.0