Alerts This Week
Warning Icon 1 916
Alerts This Week
Warning Icon 1 916

Mageia 7 MGASA-2021-0049 Critical: Crmsh Privilege Escalation Risk

mageia
Calendar Grey January 22, 2021
Dist Mageia Esm H88
Mageia has released updates for crmsh packages to address a critical command injection vulnerability that could enable local privilege elevation.
The crm configure and hb_report commands failed to sanitize sensitive information by default (bsc#1163581)

Summary

The crm configure and hb_report commands failed to sanitize sensitive information by default (bsc#1163581).
An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackersable to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges (CVE-2020-25459).
The crmsh package has been updated to the latest git snapshot and patched for CVE-2020-25459, fixing these issues and several others.

References

- https://bugs.mageia.org/show_bug.cgi?id=27444

- -

- https://www.cve.org/CVERecord?id=CVE-2020-25459

Topics%20covered

Topics Covered

security advisory critical privilege escalation command injection Mageia crmsh

Resolution

SRPMS

- 7/core/crmsh-4.2.0-0.39d42c2.1.1.mga7

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 22 Jan 2021
URL: https://advisories.mageia.org/MGASA-2021-0049.html
Type: security
CVE: CVE-2020-25459

Topics%20covered

Topics Covered

security advisory critical privilege escalation command injection Mageia crmsh

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here