{"id":"CVE-2020-35458","details":"An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There is a Ruby shell code injection issue via the hawk_remember_me_id parameter in the login_from_cookie cookie. The user logout routine could be used by unauthenticated remote attackers to execute code as hauser.","modified":"2026-05-30T15:29:09.063961Z","published":"2021-01-12T15:15:13.890Z","related":["SUSE-SU-2021:0088-1","SUSE-SU-2021:0089-1","SUSE-SU-2021:0090-1","SUSE-SU-2021:0192-1","SUSE-SU-2021:0198-1","SUSE-SU-2021:0200-1","openSUSE-SU-2021:0054-1","openSUSE-SU-2021:0074-1","openSUSE-SU-2021:0144-1","openSUSE-SU-2021:0147-1","openSUSE-SU-2024:12952-1"],"references":[{"type":"ADVISORY","url":"https://github.com/ClusterLabs/hawk/releases"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2021/01/12/3"},{"type":"FIX","url":"https://bugzilla.suse.com/show_bug.cgi?id=1179998"},{"type":"FIX","url":"https://www.openwall.com/lists/oss-security/2021/01/12/3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/clusterlabs/hawk","events":[{"introduced":"0"},{"last_affected":"fadd1ef9284a4df6c90f4248acdd76bd16bf7a3b"},{"last_affected":"070a8e0c4b74ab8ef47af59fb6510ad57807baad"}],"database_specific":{"source":"CPE_STRING","extracted_events":[{"introduced":"0"},{"last_affected":"2.2.0-12"},{"last_affected":"2.3.0-12"}],"cpe":["cpe:2.3:a:clusterlabs:hawk:2.2.0-12:*:*:*:*:*:*:*","cpe:2.3:a:clusterlabs:hawk:2.3.0-12:*:*:*:*:*:*:*"]}}],"versions":["2.3.0-12","2.2.0-12","hawk-2.0.0","1.0.0-alpha1","hawk-0.6.2","hawk-0.6.1","hawk-0.6.0","hawk-0.5.2","hawk-0.5.1","hawk-0.5.0","hawk-0.4.1","hawk-0.4.0","hawk-0.3.6","hawk-0.3.5","hawk-0.3.4","hawk-0.3.3","hawk-0.3.2","hawk-0.3.1","hawk-0.3.0","hawk-0.2.1","hawk-0.2.0","hawk-0.1.3","hawk-0.1.2","hawk-0.1.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-35458.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}