rpm package
suse/hawk2&distro=SUSE Linux Enterprise High Availability Extension 15
pkg:rpm/suse/hawk2&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-25314 | — | < 2.6.3+git.1614684118.af555ad9-3.27.1 | 2.6.3+git.1614684118.af555ad9-3.27.1 | Apr 14, 2021 | A Creation of Temporary File With Insecure Permissions vulnerability in hawk2 of SUSE Linux Enterprise High Availability 12-SP3, SUSE Linux Enterprise High Availability 12-SP5, SUSE Linux Enterprise High Availability 15-SP2 allows local attackers to escalate to root. This issue a | ||
| CVE-2020-35459 | — | < 2.6.3+git.1614684118.af555ad9-3.27.1 | 2.6.3+git.1614684118.af555ad9-3.27.1 | Jan 12, 2021 | An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges. | ||
| CVE-2020-35458 | — | < 2.3.0+git.1603969748.10468582-3.18.1 | 2.3.0+git.1603969748.10468582-3.18.1 | Jan 12, 2021 | An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There is a Ruby shell code injection issue via the hawk_remember_me_id parameter in the login_from_cookie cookie. The user logout routine could be used by unauthenticated remote attackers to execute code as hauser. |
- CVE-2021-25314Apr 14, 2021affected < 2.6.3+git.1614684118.af555ad9-3.27.1fixed 2.6.3+git.1614684118.af555ad9-3.27.1
A Creation of Temporary File With Insecure Permissions vulnerability in hawk2 of SUSE Linux Enterprise High Availability 12-SP3, SUSE Linux Enterprise High Availability 12-SP5, SUSE Linux Enterprise High Availability 15-SP2 allows local attackers to escalate to root. This issue a
- CVE-2020-35459Jan 12, 2021affected < 2.6.3+git.1614684118.af555ad9-3.27.1fixed 2.6.3+git.1614684118.af555ad9-3.27.1
An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges.
- CVE-2020-35458Jan 12, 2021affected < 2.3.0+git.1603969748.10468582-3.18.1fixed 2.3.0+git.1603969748.10468582-3.18.1
An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There is a Ruby shell code injection issue via the hawk_remember_me_id parameter in the login_from_cookie cookie. The user logout routine could be used by unauthenticated remote attackers to execute code as hauser.