CVE-2010-2496

CWE-287 — Improper Authentication CWE-522 — Insufficiently Protected Credentials6 documents6 sources

Severity

5.5MEDIUM

EPSS

0.0%

top 87.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Clusterlabs Cluster Glue Clusterlabs Pacemaker

Timeline

PublishedOct 18

Latest updateApr 21

Description

stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶NVDclusterlabs/pacemaker< 1.1.3

▶NVDclusterlabs/cluster_glue< 1.0.6

▶Debiancluster-glue< 1.0.6-1+3

▶Debianpacemaker< 1.1.13-1+3

Patches

Patch: bugzilla.suse.com ↗Patch: bugzilla.suse.com ↗

🔴Vulnerability Details

GHSA

GHSA-4643-vgh5-4r2c: stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to password↗2022-04-21

▶

OSV

CVE-2010-2496: stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to password↗2021-10-18

▶

CVEList

CVE-2010-2496: stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to password↗2021-10-18

▶

📋Vendor Advisories

Red Hat

cluster-glue: passes the stonith parameters via the commandline which could result in password leaks↗2010-07-08

▶

Debian

CVE-2010-2496: cluster-glue - stonith-ng in pacemaker and cluster-glue passed passwords as commandline paramet...↗2010

▶