GHSA-99xx-83jm-h24m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-99xx-83jm-h24m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-99xx-83jm-h24m/GHSA-99xx-83jm-h24m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-99xx-83jm-h24m
- Aliases
- Published
- 2022-05-24T17:38:37Z
- Modified
- 2024-02-16T08:09:01.810263Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- ClusterLabs crmsh vulnerable to shell code injection
- Details
-
An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call
crm history(whencrmis run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges. - Database specific
{ "nvd_published_at": "2021-01-12T15:15:00Z", "cwe_ids": [ "CWE-269", "CWE-78" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-07-13T22:35:36Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-35459
- https://bugzilla.suse.com/show_bug.cgi?id=1179999
- https://github.com/ClusterLabs/crmsh
- https://github.com/ClusterLabs/crmsh/blob/a403aa15f3ea575adfe5e43bf2a31c9f9094fcda/crmsh/history.py#L476
- https://github.com/ClusterLabs/crmsh/releases
- https://lists.debian.org/debian-lts-announce/2021/01/msg00021.html
- https://www.openwall.com/lists/oss-security/2021/01/12/3
- http://www.openwall.com/lists/oss-security/2021/01/12/3
Affected packages
PyPI / crmsh
Package
- Name
- crmsh
- View open source insights on deps.dev
- Purl
- pkg:pypi/crmsh