CVE-2016-0720
published 2017-04-21CVE-2016-0720: Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149.
PriorityP335high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
1.41%
69.3th percentile
Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| clusterlabs | pcs | <= 0.9.148 | — |
| clusterlabs | pcs | >= 0 < 0.9.149-1 | 0.9.149-1 |
| clusterlabs | pcs | >= 0 < 0.9.149-1 | 0.9.149-1 |
| clusterlabs | pcs | >= 0 < 0.9.149-1 | 0.9.149-1 |
| clusterlabs | pcs | >= 0 < 0.9.149-1 | 0.9.149-1 |
| debian | pcs | < pcs 0.9.149-1 (bookworm) | pcs 0.9.149-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| redhat | enterprise_linux | — | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ww6q-37hf-xhwr: Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0
ghsa_unreviewed·2022-05-17
CVE-2016-0720 [HIGH] CWE-352 GHSA-ww6q-37hf-xhwr: Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0
Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149.
OSV
CVE-2016-0720: Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0
osv·2017-04-21·CVSS 8.8
CVE-2016-0720 [HIGH] CVE-2016-0720: Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0
Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149.
Red Hat
pcs: Cross-Site Request Forgery in web UI
vendor_redhat·2016-02-16·CVSS 8.8
CVE-2016-0720 [HIGH] CWE-352 pcs: Cross-Site Request Forgery in web UI
pcs: Cross-Site Request Forgery in web UI
Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149.
A Cross-Site Request Forgery (CSRF) flaw was found in the pcsd web UI. A remote attacker could provide a specially crafted web page that, when visited by a user with a valid pcsd session, would allow the attacker to trigger requests on behalf of the user, for example removing resources or restarting/removing nodes.
Statement: This issue is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 6, as the web UI functionality is disabled by default in pcsd.
Package: pcs (Red Hat Enterprise Linux 6) - Will not fix
Debian
CVE-2016-0720: pcs - Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9...
vendor_debian·2016·CVSS 8.8
CVE-2016-0720 [HIGH] CVE-2016-0720: pcs - Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9...
Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149.
Scope: local
bookworm: resolved (fixed in 0.9.149-1)
bullseye: resolved (fixed in 0.9.149-1)
forky: resolved (fixed in 0.9.149-1)
sid: resolved (fixed in 0.9.149-1)
trixie: resolved (fixed in 0.9.149-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-0720 CVE-2016-0721 pcs: various flaws [fedora-all]
bugzilla·2016-02-16·CVSS 8.8
CVE-2016-0720 [HIGH] CVE-2016-0720 CVE-2016-0721 pcs: various flaws [fedora-all]
CVE-2016-0720 CVE-2016-0721 pcs: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
Bugzilla
CVE-2016-0720 pcs: Cross-Site Request Forgery in web UI
bugzilla·2016-01-18·CVSS 8.8
CVE-2016-0720 [HIGH] CVE-2016-0720 pcs: Cross-Site Request Forgery in web UI
CVE-2016-0720 pcs: Cross-Site Request Forgery in web UI
The pcsd web UI is vulnerable to Cross-Site Request Forgery (CSRF). A remote attacker could provide a specially crafted web page that, when visited by a user with a valid pcsd session, would allow the attacker to trigger requests on behalf of the user, for example removing resources, restarting/removing nodes, etc.
Each request includes 'X-Requested-With: XMLHttpRequest' but this header is not checked server side.
Discussion:
Acknowledgements:
Name: Martin Prpic (Red Hat Product Security)
---
Statement:
This issue is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 6, as the web UI functionality is disabled by default in pcsd.
---
Upstream patches:
https://github.com/feist/pcs/commit/3360e
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178261.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-March/178384.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2596.htmlhttp://www.securityfocus.com/bid/97984https://bugzilla.redhat.com/show_bug.cgi?id=1299614https://github.com/ClusterLabs/pcs/commit/b9e7f061788c3b86a0c67d2d4158f067ec5eb625http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178261.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-March/178384.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2596.htmlhttp://www.securityfocus.com/bid/97984https://bugzilla.redhat.com/show_bug.cgi?id=1299614https://github.com/ClusterLabs/pcs/commit/b9e7f061788c3b86a0c67d2d4158f067ec5eb625
2017-04-21
Published