CVE-2020-35459
https://notcve.org/view.php?id=CVE-2020-35459
An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges. Se detectó un problema en ClusterLabs crmsh versiones hasta 4.2.1. Los atacantes locales capaces de llamar a "crm history" (cuando se ejecuta "crm") fueron capaces de ejecutar comandos por medio de una inyección de código de shell en la línea de comandos del histórico del crm, potencialmente permitiendo una escalada de privilegios • http://www.openwall.com/lists/oss-security/2021/01/12/3 https://bugzilla.suse.com/show_bug.cgi?id=1179999 https://github.com/ClusterLabs/crmsh/blob/a403aa15f3ea575adfe5e43bf2a31c9f9094fcda/crmsh/history.py#L476 https://github.com/ClusterLabs/crmsh/releases https://lists.debian.org/debian-lts-announce/2021/01/msg00021.html https://www.openwall.com/lists/oss-security/2021/01/12/3 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •