CVE-2020-35459
crmsh - security update
7.8
HIGH
CVSS 3.1
EPSS 0.04%
Description
An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges.
How to fix CVE-2020-35459
To remediate CVE-2020-35459, upgrade the affected package to a fixed version below.
- Debian/crmsh—upgrade to 4.2.1-2 or later
- —upgrade to 2.3.2-4+deb9u1 or later
- —no fix listed
Is CVE-2020-35459 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 4.2.1-2
- from 0, < 2.3.2-4+deb9u1
- from 0, <= 4.2.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |