CVE-2010-2496
published 2021-10-18CVE-2010-2496: stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the…
PriorityP424medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EPSS
0.22%
13.1th percentile
stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| clusterlabs | cluster_glue | < 1.0.6 | 1.0.6 |
| clusterlabs | pacemaker | < 1.1.3 | 1.1.3 |
| clusterlabs | pacemaker | >= 0 < 1.1.13-1 | 1.1.13-1 |
| clusterlabs | pacemaker | >= 0 < 1.1.13-1 | 1.1.13-1 |
| clusterlabs | pacemaker | >= 0 < 1.1.13-1 | 1.1.13-1 |
| clusterlabs | pacemaker | >= 0 < 1.1.13-1 | 1.1.13-1 |
| debian | cluster-glue | < cluster-glue 1.0.6-1 (bookworm) | cluster-glue 1.0.6-1 (bookworm) |
| debian | pacemaker | < cluster-glue 1.0.6-1 (bookworm) | cluster-glue 1.0.6-1 (bookworm) |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
osv5.5MEDIUM
vendor_debian5.5MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4643-vgh5-4r2c: stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to password
ghsa_unreviewed·2022-04-21
CVE-2010-2496 [MEDIUM] CWE-287 GHSA-4643-vgh5-4r2c: stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to password
stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer.
OSV
CVE-2010-2496: stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to password
osv·2021-10-18·CVSS 5.5
CVE-2010-2496 [MEDIUM] CVE-2010-2496: stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to password
stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer.
Red Hat
cluster-glue: passes the stonith parameters via the commandline which could result in password leaks
vendor_redhat·2010-07-08·CVSS 5.5
CVE-2010-2496 [MEDIUM] CWE-522 cluster-glue: passes the stonith parameters via the commandline which could result in password leaks
cluster-glue: passes the stonith parameters via the commandline which could result in password leaks
stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer.
A flaw was found in cluster-glue, where the stonith-ng function in cluster-glue passed passwords as command line parameters. This flaw allows local attackers to gain access to passwords of the HA stack and potentially influence its operations. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Package: cluster-glue (Red Hat Enterprise Linux 6) - Ou
Debian
CVE-2010-2496: cluster-glue - stonith-ng in pacemaker and cluster-glue passed passwords as commandline paramet...
vendor_debian·2010·CVSS 5.5
CVE-2010-2496 [MEDIUM] CVE-2010-2496: cluster-glue - stonith-ng in pacemaker and cluster-glue passed passwords as commandline paramet...
stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer.
Scope: local
bookworm: resolved (fixed in 1.0.6-1)
bullseye: resolved (fixed in 1.0.6-1)
forky: resolved (fixed in 1.0.6-1)
sid: resolved (fixed in 1.0.6-1)
trixie: resolved (fixed in 1.0.6-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-10-18
Published