CVE-2016-7035: An authorization flaw was found in Pacemaker before 1.1.16, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a…

high7.8CVSS 3.0

AVLACLPRLUINSUCHIHAH

An authorization flaw was found in Pacemaker before 1.1.16, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine.

Affected

15 ranges

Vendor	Product	Version range	Fixed in
clusterlabs	pacemaker	<= 1.1.16	—
clusterlabs	pacemaker	—	—
clusterlabs	pacemaker	>= 0 < 1.1.15-3	1.1.15-3
clusterlabs	pacemaker	>= 0 < 1.1.15-3	1.1.15-3
clusterlabs	pacemaker	>= 0 < 1.1.15-3	1.1.15-3
clusterlabs	pacemaker	>= 0 < 1.1.15-3	1.1.15-3
clusterlabs	pacemaker	>= 0 < 1.1.10+git20130802-1ubuntu2.4	1.1.10+git20130802-1ubuntu2.4
clusterlabs	pacemaker	>= 0 < 1.1.14-2ubuntu1.2	1.1.14-2ubuntu1.2
debian	pacemaker	< pacemaker 1.1.15-3 (bookworm)	pacemaker 1.1.15-3 (bookworm)
redhat	enterprise_linux_server	—	—
redhat	enterprise_linux_server	—	—
redhat	enterprise_linux_server_eus	—	—
redhat	enterprise_linux_server_eus	—	—
redhat	enterprise_linux_server_eus	—	—
redhat	enterprise_linux_server_eus	—	—

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

osv7.8HIGH