Miggo Logo
Miggo Vulnerability Database
CVE-2020-35459

CVE-2020-35459: ClusterLabs crmsh vulnerable to shell code injection

7.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-35459
GHSA ID
GHSA-99xx-83jm-h24m
EPSS Score
0.1388%
CWE
CWE-78
Published
5/24/2022
Updated
8/23/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
crmshpip<= 4.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability occurs in the session creation functionality where user-controlled input (session name) is passed to a shell command without proper sanitization. The code at line 476 of history.py uses utils.pipe_cmd_nosudo() with a formatted string containing session_dir, which could contain malicious shell characters. The provided patch from SUSE Bugzilla shows this was fixed by replacing the system mkdir call with Python's Path.mkdir(), confirming the insecure usage of shell commands with user input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in *lust*rL**s *rms* t*rou** *.*.*. Lo**l *tt**k*rs **l* to **ll `*rm *istory` (w**n `*rm` is run) w*r* **l* to *x**ut* *omm*n*s vi* s**ll *o** inj**tion to t** *rm *istory *omm*n*lin*, pot*nti*lly *llowin* *s**l*tion o* privi

Reasoning

T** vuln*r**ility o**urs in t** s*ssion *r**tion *un*tion*lity w**r* us*r-*ontroll** input (s*ssion n*m*) is p*ss** to * s**ll *omm*n* wit*out prop*r s*nitiz*tion. T** *o** *t lin* *** o* *istory.py us*s utils.pip*_*m*_nosu*o() wit* * *orm*tt** strin
CVE-2020-35459: crmsh History Local PrivEsc | Miggo